23640d6ac3871292bdb343f7b736ef4ed6be9faa04913f752a60ac2912415a65

Analysis

max time kernel
136s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd10a82fde458e728f26a9fe79725ce.exe
Size

72KB
MD5

7dd10a82fde458e728f26a9fe79725ce
SHA1

b6fd8872965d6e6560d00289b297aa5bbd7a573f
SHA256

23640d6ac3871292bdb343f7b736ef4ed6be9faa04913f752a60ac2912415a65
SHA512

e1859b09b2630da8499b1a8926c61732f274fd251e6f3e1e8fa60318e9994b2bfcfd12ad38aea26580491bda07453b3e25e3e852d5b9478d4cb26802b8820018
SSDEEP

1536:ioWuMqnCTygRvyulru2m3QJNrKkp8I33MSX+mSg35dgM+VdZDJs:FWuvayctu2mgTRHovN6

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	winhlp31.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1136-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x0007000000023224-3.dat	upx
behavioral2/memory/316-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1136-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/316-461-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Deleteme.bat	7dd10a82fde458e728f26a9fe79725ce.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winhlp31.exe	7dd10a82fde458e728f26a9fe79725ce.exe
File opened for modification	C:\Windows\winhlp31.exe	7dd10a82fde458e728f26a9fe79725ce.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 1136 wrote to memory of 3520	1136	7dd10a82fde458e728f26a9fe79725ce.exe	88
PID 1136 wrote to memory of 3520	1136	7dd10a82fde458e728f26a9fe79725ce.exe	88
PID 1136 wrote to memory of 3520	1136	7dd10a82fde458e728f26a9fe79725ce.exe	88
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87
PID 316 wrote to memory of 4656	316	winhlp31.exe	87

C:\Users\Admin\AppData\Local\Temp\7dd10a82fde458e728f26a9fe79725ce.exe
"C:\Users\Admin\AppData\Local\Temp\7dd10a82fde458e728f26a9fe79725ce.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
  2⤵
  PID:3520

C:\Windows\winhlp31.exe
C:\Windows\winhlp31.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Deleteme.bat

Filesize
184B

MD5
ee991e33374a1b1b534742dff163481c

SHA1
9b1b7d383d0cdf9b80bf6858492c74d573ea2534

SHA256
83f917f74821d43fb49ae08b3290d305f5b137f00621775794604b27c466fc2a

SHA512
29d1463433e3c1583ddf5d52114160069a01df341e265d17f1d1259b3900c6842bb85d7dad9006669ba2fee7dd24d69a0323d107861c94892bab962ff11d2228

Download Submit
C:\Windows\winhlp31.exe

Filesize
72KB

MD5
7dd10a82fde458e728f26a9fe79725ce

SHA1
b6fd8872965d6e6560d00289b297aa5bbd7a573f

SHA256
23640d6ac3871292bdb343f7b736ef4ed6be9faa04913f752a60ac2912415a65

SHA512
e1859b09b2630da8499b1a8926c61732f274fd251e6f3e1e8fa60318e9994b2bfcfd12ad38aea26580491bda07453b3e25e3e852d5b9478d4cb26802b8820018

Download Submit
memory/316-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/316-461-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1136-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1136-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4656-9-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4656-8-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4656-459-0x0000000010410000-0x0000000010431000-memory.dmp

Filesize
132KB

Download
memory/4656-462-0x0000000010410000-0x0000000010431000-memory.dmp

Filesize
132KB

Download