11fb556a84d1a19b16fb4925c62bee03b9723b9846d2e141216d23d1e9ade87e

General

Target

749f97b5c067cd365ca5649147903548.exe
Size

227KB
MD5

749f97b5c067cd365ca5649147903548
SHA1

28ca52a77fe12f9b89c796bdca197a990ba66456
SHA256

11fb556a84d1a19b16fb4925c62bee03b9723b9846d2e141216d23d1e9ade87e
SHA512

88cc6f57f1f3c763ed2226b8af31418433df41eed2b7e2ee55ce3f3e5c2c115f3b29501464488b2bc0cf9acd752d72fd53ec692f5f999c9692c001b9cddace11
SSDEEP

6144:8W9mLSx/E+zUNYjKKZaiiq5LQOWRVQG0MZIriO:8xLAwjwB9NQR6G0aO

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1760	749f97b5c067cd365ca5649147903548.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	749f97b5c067cd365ca5649147903548.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	749f97b5c067cd365ca5649147903548.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	749f97b5c067cd365ca5649147903548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	749f97b5c067cd365ca5649147903548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	749f97b5c067cd365ca5649147903548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	749f97b5c067cd365ca5649147903548.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	749f97b5c067cd365ca5649147903548.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeBackupPrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe
Token: SeRestorePrivilege	1760	749f97b5c067cd365ca5649147903548.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1760	749f97b5c067cd365ca5649147903548.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 2828	1760	749f97b5c067cd365ca5649147903548.exe	28
PID 1760 wrote to memory of 2828	1760	749f97b5c067cd365ca5649147903548.exe	28
PID 1760 wrote to memory of 2828	1760	749f97b5c067cd365ca5649147903548.exe	28
PID 1760 wrote to memory of 2828	1760	749f97b5c067cd365ca5649147903548.exe	28
PID 1760 wrote to memory of 2612	1760	749f97b5c067cd365ca5649147903548.exe	30
PID 1760 wrote to memory of 2612	1760	749f97b5c067cd365ca5649147903548.exe	30
PID 1760 wrote to memory of 2612	1760	749f97b5c067cd365ca5649147903548.exe	30
PID 1760 wrote to memory of 2612	1760	749f97b5c067cd365ca5649147903548.exe	30

C:\Users\Admin\AppData\Local\Temp\749f97b5c067cd365ca5649147903548.exe
"C:\Users\Admin\AppData\Local\Temp\749f97b5c067cd365ca5649147903548.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
df7602d4db9a139463cc2ca07d1e02ef

SHA1
0c19b814571f5a48eb5770b65de584b11db7692e

SHA256
391ed5e015dcdb75f575d2c5695e7c30b0705d6a894910a397a734e5550334e9

SHA512
34e98227b3e2b0d3ef358338aa57484be6a8fde8abec9422c2730b66373a9dfaddadff66c2c3d573927f6df377e4a4fafd97f22a0ae020e85db840bc9e45782e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
45e7f6f0eef353d52f8f2f4fe8c46add

SHA1
23ddca7d750e82871982451838d8f1f1dbce6c6d

SHA256
68b508643d02f9feb4a672a782d3f61980f2dcf4724a82012715212220cfe04e

SHA512
bb74e277652db9cef68691d9125412a621a02651bd31c8c88d66b18f10aab823de5324ff3c406e52caae18bc579260f7fa9516e3c3ee6a5234bb400505959b81

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
158KB

MD5
2dae49047d465b3d5e52fd1cb9aa3d82

SHA1
bcc01b4959559d926556654b4087499dd2fe8bed

SHA256
8b914cfb246dfa1bb8542a593d379844f437ad1688d76a0c113f90c9c4ef7b51

SHA512
2e092a4269647d9882945511fb4ef841ec9f77a71ce4c15f544766b612754522f9fea68f689746fbe02a45d257470a0c7d797202269b4e0fb106f72bf6543e92

Download Submit
memory/1760-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1760-1-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1760-25-0x0000000001E50000-0x0000000001EB5000-memory.dmp

Filesize
404KB

Download
memory/1760-24-0x0000000001E50000-0x0000000001EB5000-memory.dmp

Filesize
404KB

Download
memory/1760-27-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1760-28-0x0000000001E50000-0x0000000001EB5000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing