Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 15:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dll_one_two.dll
Resource
win7-20231129-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
dll_one_two.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral3
Sample
launcher.bat
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
launcher.bat
Resource
win10v2004-20231215-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
launcher.bat
-
Size
77B
-
MD5
39b617fde634a280a5b792e641a90dad
-
SHA1
89a9c7df3a0be92fc457b8a84b4e0a8a5eaaca65
-
SHA256
8c80a346c9a01feb8e28611585a9264abc1faf288996bb83aaf92f3866802078
-
SHA512
ed52760d0ef9d1f7491900a0100e528ff2c0e3ef795e5c8e9e1aa71f73c8fbef5c904586a36b638e6fd6953f8bff25588219f2111a4b19e07e212a536f44ef9a
Score
1/10
Malware Config
Signatures
-
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\51178623 = e78a60959b8b85435594f2787b2a279a22dde372c90f30a4c806677690136e9945ca865523571bf65b148438e4d2c14556f83231faee1759a45dfdaf2c0ebf1555 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\ea44e308 = 45c60c072b3c751b59eb217a971784962f0b959255ac25b574ecfbb8ef13a34d6e60c8b81b23bfc1c3f5e64c9e6100488977768932ba3528a72a7a28845754794658d51447386d107f2b1f630b62ade1135be7b5ce5f8adf56a2035dc7841fd2a6 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\4e589d08 = 0561b573be0dcba00e533290834d8ce80cb1835d29496f37b3b1aadbefdc1232d882d7b80889de28e9c2b036a86953d2cc0460d68761e1b75fd7a7d96709227022ed0595eac6e477c236e72fee8f3aa2ba wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\82f29d96 = 646c892b4b7f3df50d9e81e5b769c51308b33b4e48b299c7db09a5c439e743c14cd6edc0fdc6463da499f3d99b5adc5f2ad8f1339e21c8e40b765f4e5f4d5798555f2c5961a89aab330816d9371ee9eb6862459af643a2930e5cfa0b42c9b469d4839897eaf0ac7bf6ed323880915172986c6190b00499f1927853923b2aa747f3 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\d55d88d9 = 4779239860813b68fdd736d4ecb39185f378bcfee959ddb4a716a85eab2ca17ba6bc3693b1a77ca4dea9d8630b6abfed21f7fb6e99fc20f88c18651a46a8dbbab43661b3dabe3726bfdd5cd3879aa657721d7ef439eb364c1c2a7d3229d203542069b14d5209ac499c9526ac70da260f91e1d1eacd759bcb099e6ea750e18d149c739b4daaa63a353cc67f16a5387d9e93 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\d55d88d9 = 05b2ff289a54bdb1d545b7b2a8b1af596d829df5956c0fde75bd0fba21aa0fe9a6ad95ae2da755b4c05ea04f3631a5cba7603435bd2ba4de188659d643d643d09aabc2d845ab3ccebc3068c2db659b1c63f273d122d155e56b29d5deca3bb5b6935df98c783f703439b5f315876ec318097fbec649fe6125f87c9b415b663eaf8f wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\8375c011 = 259440258975f88003e0d169b8bef44a0d6b39c50b65589769cddeba4d32ddfdc06ab5fa4852035ef87c0654624d5cab82324d9dce9277fb64cc5b00dedc1a0320cbb317895068bd8914dc9f272808f5f59b9c5f0bfc17785eb2110ca91c5d33ea15512e51ca2cf06811070455afabfdbb42eb5c424bd83b6a902a0bb026becd6d5b93b693ccf02dd415c35bc30cf94a00a9396979368bd93557d56b30115f8245 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\9dbd86bd = a61bb8f54cd598ce540079b8a7b5a504a58abad83e17094aaa2efdd75049344145a7c74114a42c1156a10e01cd7002b552ddd025eaffed6ea0d571e2dde28ac0e1486b1ac3f76f03fa2e7b0c12e738acd0a028f9cb3ce73e9fa9330e105c2baa27d1ec6eadd19485b6fcb6dec4a38c8b29 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\4fdfc08f = 8584b4d223228805da11ca226547e5bad772fcb29fab336f9c7849f90bb40eb00a323c515d4b2a55b44317aeb2eae0ccbd57e282713f3ef6f3e30989cee3351d4c862959401f0c3e7fd1c74fbf2f8f67028e1e1e85d7da9b624c1f30bffa210c12 wermgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\taojabeayuhfwyy\d4dad55e = a4637492d98d418fea4e4a40640e35dc275cd6d6b9a93004ad6476db186e07797a6cc8cdacac3e0478ba4bf58ed2c490304171c0d2eae721e80963fca27c9c939435a50a67526581af9949941e518ac538559bf8d787ac39308428dd46676ef43e wermgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 1460 rundll32.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe 4220 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4984 wrote to memory of 1460 4984 cmd.exe 86 PID 4984 wrote to memory of 1460 4984 cmd.exe 86 PID 1460 wrote to memory of 4220 1460 rundll32.exe 88 PID 1460 wrote to memory of 4220 1460 rundll32.exe 88 PID 1460 wrote to memory of 4220 1460 rundll32.exe 88 PID 1460 wrote to memory of 4220 1460 rundll32.exe 88 PID 1460 wrote to memory of 4220 1460 rundll32.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\rundll32.exerundll32.exe dll_one_two.bin,CfGetPlatformInfo2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\wermgr.exeC:\Windows\System32\wermgr.exe3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4220
-
-