0dab5e3b613c65728affe639a391f43d70a6b6c0478d9ead961b6c0a3d50501d

General

Target

78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Size

129KB
MD5

78c2657e3e0f58ee2f6ab1f7a45a8553
SHA1

6d12679ba5575f0a10cac63ebc5b9289ce916f99
SHA256

0dab5e3b613c65728affe639a391f43d70a6b6c0478d9ead961b6c0a3d50501d
SHA512

0042abd2936e7e383d859cb9801771cce35fe53ea7a1b13d7ea29f2ed133e12ce419f4489cfec0d51a1f767a407d956da3f6a1aed98c2af9a09bb72fb4701d12
SSDEEP

3072:RnWLrwWa3FZ/SFqxfWIUojutoI0NnnQgEr9GGXp9:RnqrnoSFqMIButoIgurT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	78c2657e3e0f58ee2f6ab1f7a45a8553.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	78c2657e3e0f58ee2f6ab1f7a45a8553.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeBackupPrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe
Token: SeRestorePrivilege	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2364	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	28
PID 1212 wrote to memory of 2364	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	28
PID 1212 wrote to memory of 2364	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	28
PID 1212 wrote to memory of 2364	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	28
PID 1212 wrote to memory of 2672	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	30
PID 1212 wrote to memory of 2672	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	30
PID 1212 wrote to memory of 2672	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	30
PID 1212 wrote to memory of 2672	1212	78c2657e3e0f58ee2f6ab1f7a45a8553.exe	30

C:\Users\Admin\AppData\Local\Temp\78c2657e3e0f58ee2f6ab1f7a45a8553.exe
"C:\Users\Admin\AppData\Local\Temp\78c2657e3e0f58ee2f6ab1f7a45a8553.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
d2028dcab709b9af82c969a929bf1209

SHA1
1bc7989281e563d9403798141971546c9066257c

SHA256
7192ef3b746882c4372da7c05a76895e6ea281b35d5d0f3dc72ac12c4a337ae5

SHA512
9c99d8bb34e33e39a3c7d01157be6690b08a4ef54c8fa425516d3a28b89b5615e319c3de2f0ddf76be7856c8b94ab6c3a7c4d21389790ff948edf64d822ce130

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
a8147d28c0fafa2986fa423f9fc4b7d6

SHA1
ec4db2837608111e33f42ecc2b090b0809ce1f9c

SHA256
a4b9936adaabec604da99e4beafca2103f8407fdb33bbe1ae8a3dd0c9c641a8f

SHA512
d56b8f6cfcc236050ca986c5ac947c0917d2ee25acdd47a7465441c2395ef2a58063ee18a39e4ec609643c19383080886b4e0df480e76f5ec21779aed14deb73

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
af97286fb41adc79e3881b22c4488cd9

SHA1
7bbd7bbdbd13bf1daab6a67cad47ed4934695bfb

SHA256
e3af3f26d4c9580edb0f5acbd4ef4fa8ea9734d24a17ac6b425351dee73a1256

SHA512
4c647854f924d59723d6c925f386fd8c2602df230f6b0a944c10427a5b5c7be12f2355ceac47ba17ec670d673ed96b2078a68dbb353ad54bb430f58541685b76

Download Submit
memory/1212-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-8-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1212-23-0x00000000004A0000-0x00000000004F0000-memory.dmp

Filesize
320KB

Download
memory/1212-24-0x00000000004A0000-0x00000000004F0000-memory.dmp

Filesize
320KB

Download
memory/1212-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-28-0x00000000004A0000-0x00000000004F0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing