22202559f7080a9d04538ad2aedd67ef86c8da9c4c1214f4605131fd1c056bc6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aba30dfeaad1ce327f3d3164879a75d8.exe
Size

184KB
MD5

aba30dfeaad1ce327f3d3164879a75d8
SHA1

ef0812df54cdb11b2201d41a29a84e78f00ea357
SHA256

22202559f7080a9d04538ad2aedd67ef86c8da9c4c1214f4605131fd1c056bc6
SHA512

a187a6084b847b039fff89824789acc0ede700309c07ed62df3562b6c66e2c6c99085a47bbb4b0d2e91dd1e178d319e08464b5a1a4bb25db5f06b068f703daf4
SSDEEP

3072:YpADH3WjVNkgRYUu/DpfJU5OjZj4w8TU1uv5IItPMp5tAEZYLKrYfoiyy:9LWZN6UuL6OR8TUov5Kp5qEZYLK0g

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4316	aba30dfeaad1ce327f3d3164879a75d8.exe
4316	aba30dfeaad1ce327f3d3164879a75d8.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	aba30dfeaad1ce327f3d3164879a75d8.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	aba30dfeaad1ce327f3d3164879a75d8.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	aba30dfeaad1ce327f3d3164879a75d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	aba30dfeaad1ce327f3d3164879a75d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	aba30dfeaad1ce327f3d3164879a75d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	aba30dfeaad1ce327f3d3164879a75d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	aba30dfeaad1ce327f3d3164879a75d8.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeBackupPrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe
Token: SeRestorePrivilege	4316	aba30dfeaad1ce327f3d3164879a75d8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4316	aba30dfeaad1ce327f3d3164879a75d8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4432	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	89
PID 4316 wrote to memory of 4432	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	89
PID 4316 wrote to memory of 4432	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	89
PID 4316 wrote to memory of 4968	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	96
PID 4316 wrote to memory of 4968	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	96
PID 4316 wrote to memory of 4968	4316	aba30dfeaad1ce327f3d3164879a75d8.exe	96

C:\Users\Admin\AppData\Local\Temp\aba30dfeaad1ce327f3d3164879a75d8.exe
"C:\Users\Admin\AppData\Local\Temp\aba30dfeaad1ce327f3d3164879a75d8.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
71c6ac53c21fc51dffacec9018cb0b1f

SHA1
e2032b5a50d004ad6c9c21d4ab14beaa731f554d

SHA256
e294191aef3ba865345bfc2cfa1bd952013c4614da9c685d3838964184f6952c

SHA512
21692dc5769aad09787a55c01aaee91999fc0602bfcb743bdcd9246ef37064bf0b8a7d433709363ac9448ae854fe972b563816acd35beb4090334248a11acc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
769361365dc7a87d1f9650e94b86179f

SHA1
f900d4c0a3cc1ba5d56c67873f84b67d94bf031a

SHA256
e763945075df421945a9166a8c400f11ef4ca5538340d5ff01b4fe96191546fd

SHA512
7c1a30484805adfa09e6e9f79774f0f5b42f34323ad9584e5b171737b7785ed7b331524841b4086e13a54011ce4205bbf6725ac4a34e9373ad26048ed1f63251

Download Submit
C:\Windows\Help\B41346EFA848.dll

Filesize
158KB

MD5
f230cf3d8c26504c3d02f548341c7d69

SHA1
988b944b856b75466feac3d808485b9a8e915b10

SHA256
022061748acfa1f3992e0f6fde2b7dc252b2d5997862dfee01154a705353c1fd

SHA512
14bd4909050a82d5094c09e1562a66e409f12399225c3317e8223c7e7dc7de78197e2ebc7a7eebd01e26f7a68c361d252f2061e1fc06e46dc86f695411e91e36

Download Submit
memory/4316-3-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-11-0x0000000002180000-0x00000000021AC000-memory.dmp

Filesize
176KB

Download
memory/4316-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-16-0x0000000002180000-0x00000000021AC000-memory.dmp

Filesize
176KB

Download
memory/4316-22-0x0000000002180000-0x00000000021AC000-memory.dmp

Filesize
176KB

Download