e3e650c22d5bbcefdf5604eea5d7b0bf4e82464757060357aeffdfe4813cf3da

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 04:14

Target

ada99cc37a657754bc26ecac02ed4c00.exe
Size

174KB
MD5

ada99cc37a657754bc26ecac02ed4c00
SHA1

0423ccf1edc48425521b86e97381ae05d0f7fa4e
SHA256

e3e650c22d5bbcefdf5604eea5d7b0bf4e82464757060357aeffdfe4813cf3da
SHA512

8b243d3f75c1f1635cabf17d3718bdf4ae19a55bf1d58ed5198b30ea7cdc398c17b32d822d64d6957d02c42a33f3d35978cfb7059939daba677ba4d8947bbb6c
SSDEEP

3072:X1WAlUd89ZeGWmDgMBMyveidWaoaDNS3Trt21cFWiI1MU6XbvX8pWEvwiZHOp:X1WkkGWmDjM5yS3XtYcFWieMPLkpWEvO

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\helpme.exe	ada99cc37a657754bc26ecac02ed4c00.exe
File opened for modification	C:\Windows\SysWOW64\helpme.exe	ada99cc37a657754bc26ecac02ed4c00.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\winhlp.dll	ada99cc37a657754bc26ecac02ed4c00.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ = "C:\\Windows\\Debug\\winhlp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3616	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 5100	3380	ada99cc37a657754bc26ecac02ed4c00.exe	87
PID 3380 wrote to memory of 5100	3380	ada99cc37a657754bc26ecac02ed4c00.exe	87
PID 3380 wrote to memory of 5100	3380	ada99cc37a657754bc26ecac02ed4c00.exe	87
PID 3380 wrote to memory of 2272	3380	ada99cc37a657754bc26ecac02ed4c00.exe	89
PID 3380 wrote to memory of 2272	3380	ada99cc37a657754bc26ecac02ed4c00.exe	89
PID 3380 wrote to memory of 2272	3380	ada99cc37a657754bc26ecac02ed4c00.exe	89
PID 5100 wrote to memory of 3616	5100	cmd.exe	91
PID 5100 wrote to memory of 3616	5100	cmd.exe	91
PID 5100 wrote to memory of 3616	5100	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ada99cc37a657754bc26ecac02ed4c00.exe
"C:\Users\Admin\AppData\Local\Temp\ada99cc37a657754bc26ecac02ed4c00.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjaw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\xdsfw.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\ada99cc37a657754bc26ecac02ed4c00.exe"
  2⤵
  PID:2272

C:\Users\Admin\AppData\Local\Temp\wjaw.bat

Filesize
124B

MD5
9eaf332297c95d0f5525bd93f0535b80

SHA1
dcae53735fb62cbfadae86b9b6678f30526d714b

SHA256
4732f12a6ae955a8ec5ff67e0bf9375af3ab35c6dcc2a3bcc74b987db028565c

SHA512
f4418d7a9bc456922242e6be8caa22738206bbc3a4bcb65d6a32f3e32e624f50ba0058b0cae16495b92c3379eb2ea50194f1ec343ace8188cb2f6a54a2d46f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsfw.reg

Filesize
402B

MD5
01fb0f78bd547e4e9c56e3787cc6ef24

SHA1
81b988b8f571d9296af97c7490aa2e97ecbdbbc2

SHA256
5464f91a92f4619e24f8bb8a462e2618d38269a0e9bf3fdd8304bad6dcdd6cb5

SHA512
b9523d8f17dfbb2781cd140d15a03ae54a867b352acc016921e80588e6ae0aafbf633908dfd17267a92276bc364db97b9c9f6dd93708d69b835a7d464531cb77

Download Submit
memory/3380-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3380-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download