870177beac58d076af2e630677442c111c0ae12347c09d3b548373c58dce40e3

General

Target

97424a2c29c6b5157e04b1b4c31fa43f.exe
Size

130KB
MD5

97424a2c29c6b5157e04b1b4c31fa43f
SHA1

d7db8f2d2262c567c0221a1cbf1cd23da57298b6
SHA256

870177beac58d076af2e630677442c111c0ae12347c09d3b548373c58dce40e3
SHA512

fdc2b29a0fb063c6155a41ddaed2b9d7c5ca8b71874fa9a00359834eef8be76457f22b6e3a06ec81e05ba9515cbb024dd6931bf30c2ad269df8dfa2124ce6623
SSDEEP

3072:LxNGg/Ly0+h095FNQ8IzgF498A82xlTm2TpP:LxNGMLy0+eTbQ8108A8olTm2

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
4856	97424a2c29c6b5157e04b1b4c31fa43f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	97424a2c29c6b5157e04b1b4c31fa43f.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	97424a2c29c6b5157e04b1b4c31fa43f.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	97424a2c29c6b5157e04b1b4c31fa43f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	97424a2c29c6b5157e04b1b4c31fa43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	97424a2c29c6b5157e04b1b4c31fa43f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	97424a2c29c6b5157e04b1b4c31fa43f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	97424a2c29c6b5157e04b1b4c31fa43f.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeBackupPrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe
Token: SeRestorePrivilege	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4856	97424a2c29c6b5157e04b1b4c31fa43f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2500	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	79
PID 4856 wrote to memory of 2500	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	79
PID 4856 wrote to memory of 2500	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	79
PID 4856 wrote to memory of 4768	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	89
PID 4856 wrote to memory of 4768	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	89
PID 4856 wrote to memory of 4768	4856	97424a2c29c6b5157e04b1b4c31fa43f.exe	89

C:\Users\Admin\AppData\Local\Temp\97424a2c29c6b5157e04b1b4c31fa43f.exe
"C:\Users\Admin\AppData\Local\Temp\97424a2c29c6b5157e04b1b4c31fa43f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
6374cedabd91a57d592a45f574193aba

SHA1
c0d0c9b507284c50fa6429d3ab63623b77ff2763

SHA256
1ee95952bc3965dc2977a6fd31970d0594c296b59ea65b01f565d765a320f531

SHA512
8590fc9e88f22b326572a94a09decd098ae5fb2b54f326cfda38c5664e021171b22a328fe0eccc6e9130d3fd6d08d1cf727706697176dca713b572e103276464

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
c77abc9ed91f2bf36978cd75f54321b8

SHA1
f8613e9994e4731915ad0c693f14e0e1014bf21d

SHA256
c6fee9e26bc0b08e01f696f0751a62ce4eab771a076576f6e1a0717a7cf18220

SHA512
9c7f07d523c014bcee206b5ed0ed8244fd429bd9abefbffedb27a99c3183165fe549c9ce2bd093afac32a9df61a165305c6a50f3cb0bf099119b10532d11200a

Download Submit
C:\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
db128f66fa061f0b1ff6d988bc187c5b

SHA1
9ced125a49721fcc8c0794c34575206df3b9b824

SHA256
62d9be7b011896b7201a464c7d7a60a3cfe734b3e6539196a5c8dcf739233558

SHA512
6f981f8d0f1a132b1b04996930b9cfc51a277a45e616b791a5e5488d5b356d0fdda9b71ddffeb468830cb6389ca4d4fb276610f9ff1ebdf6ee05c1246cc957f2

Download Submit
memory/4856-2-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4856-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-15-0x0000000002170000-0x00000000021C0000-memory.dmp

Filesize
320KB

Download
memory/4856-18-0x0000000002170000-0x00000000021C0000-memory.dmp

Filesize
320KB

Download
memory/4856-19-0x0000000002170000-0x00000000021C0000-memory.dmp

Filesize
320KB

Download
memory/4856-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4856-22-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4856-24-0x0000000002170000-0x00000000021C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing