2be143201f0b7d04b4e053c7978f21aad49dcc61eccc69ab8a833adfc6c8ddff

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 13:23

Target

9987a1889a0210b4463a1923dec0cdf1.exe
Size

86KB
MD5

9987a1889a0210b4463a1923dec0cdf1
SHA1

7864f61ec61b9895102b3e9020de43b5c296f7db
SHA256

2be143201f0b7d04b4e053c7978f21aad49dcc61eccc69ab8a833adfc6c8ddff
SHA512

46b15ca01aac8afa262261ecb3fe0510af12f02c2bc6eba3918226726559e0800153593e0168a7a9a6855d9bfb83d42742f4c4e94af151e340e53e429a24f769
SSDEEP

1536:LVBmV5GPOakPP1YirQa78TC1kHLeCISTgUEWzWooTg3XyJFA4pYEM:LVBmVwWakPP1Yi0tCALjIkgCWoMKyJ2d

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
1440	9987a1889a0210b4463a1923dec0cdf1.exe
1440	9987a1889a0210b4463a1923dec0cdf1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	9987a1889a0210b4463a1923dec0cdf1.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	9987a1889a0210b4463a1923dec0cdf1.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	9987a1889a0210b4463a1923dec0cdf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	9987a1889a0210b4463a1923dec0cdf1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	9987a1889a0210b4463a1923dec0cdf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	9987a1889a0210b4463a1923dec0cdf1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	9987a1889a0210b4463a1923dec0cdf1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1440	9987a1889a0210b4463a1923dec0cdf1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 1436	1440	9987a1889a0210b4463a1923dec0cdf1.exe	83
PID 1440 wrote to memory of 1436	1440	9987a1889a0210b4463a1923dec0cdf1.exe	83
PID 1440 wrote to memory of 1436	1440	9987a1889a0210b4463a1923dec0cdf1.exe	83
PID 1440 wrote to memory of 116	1440	9987a1889a0210b4463a1923dec0cdf1.exe	92
PID 1440 wrote to memory of 116	1440	9987a1889a0210b4463a1923dec0cdf1.exe	92
PID 1440 wrote to memory of 116	1440	9987a1889a0210b4463a1923dec0cdf1.exe	92

C:\Users\Admin\AppData\Local\Temp\9987a1889a0210b4463a1923dec0cdf1.exe
"C:\Users\Admin\AppData\Local\Temp\9987a1889a0210b4463a1923dec0cdf1.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:116

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
93cfe4cbc552691547e699f2aab23284

SHA1
265107f2d792be9dbfba9d5595c9e7ed3befa7c6

SHA256
09c6806c5220ebb60149153fb1476326029f8f228e38ea4d4d706d15e011642a

SHA512
99f5e918a76af19630aef1feb532cad5a7ed471e67030e54f11e3764b2aa9c65ff7673917482db790a3e913aee2b309d7b84c338839336cc76b57900fa7bf0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
c426cf0834c5f865c66f7f3fc90f3fc7

SHA1
47fe47664a59ff5f27cf9565b52bbca752bd35ba

SHA256
48b6fc0ca7fd69558c17095eb2272d0c33eb2c2da43adcbe2ff0b1a9f8d7b112

SHA512
927de78aff9b79c7fee0a7345ec772e50c5fa0e7a0d7e9bb2bd24a28cae4a330c1c022ad892e26daf9ce28fe388ecddf7f6110d3d043b3fb51dbee49def49d5a

Download Submit
C:\Windows\Help\F3C74E3FA248.dll

Filesize
71KB

MD5
a132e44c265eb9f0fa8e3cd28f66a297

SHA1
09569f65d61ef8d4ffb8c360562933c9b48a9912

SHA256
b8705e5c4bc485e2db218a1e904b9e6dacbd6be8b38089261743639e14ca54d5

SHA512
432bc94ae03791af991ac1827dde17d816ab5b5ce8b4c3f1884d4639e0e61aa455ec6142182be1d8ffac89294b2de8645d1e11abd4b856cc162b9137de1d96dd

Download Submit
memory/1440-3-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1440-14-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1440-15-0x0000000002280000-0x00000000022AC000-memory.dmp

Filesize
176KB

Download