b54c2d04b45ef49473d98ab98f6ef8193ffe0bd8c56baba9d0eb7aa05ff9493a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 11:56

Target

be8c168a6dd92ee9cee6722d920dde7e.exe
Size

173KB
MD5

be8c168a6dd92ee9cee6722d920dde7e
SHA1

3adfd24af7c3533057cad4aef6436cdc5814113e
SHA256

b54c2d04b45ef49473d98ab98f6ef8193ffe0bd8c56baba9d0eb7aa05ff9493a
SHA512

92f30cb6345386ce758d9e2b3d0e8f2baeb741b12cb6959f3f4087e7a09c910fa0e8bca4170b2230687470bf560ae0385f66be22ca5c7d3bf1dc871b29990c5d
SSDEEP

3072:AwxmhHONvQgOWKm+9C8FABd0s0XZDWZrcru5cl9JV4DSJM3w:9mhHON+WhJ8FABdB0RWZm9JV4DSGA

Score

7^/10

Deletes itself 1 IoCs

pid	Process
352	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\helpme.exe	be8c168a6dd92ee9cee6722d920dde7e.exe
File opened for modification	C:\Windows\SysWOW64\helpme.exe	be8c168a6dd92ee9cee6722d920dde7e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\winhlp.dll	be8c168a6dd92ee9cee6722d920dde7e.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ = "C:\\Windows\\Debug\\winhlp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B00FA80-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3056	regedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3060	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	28
PID 2268 wrote to memory of 3060	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	28
PID 2268 wrote to memory of 3060	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	28
PID 2268 wrote to memory of 3060	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	28
PID 2268 wrote to memory of 352	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	29
PID 2268 wrote to memory of 352	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	29
PID 2268 wrote to memory of 352	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	29
PID 2268 wrote to memory of 352	2268	be8c168a6dd92ee9cee6722d920dde7e.exe	29
PID 3060 wrote to memory of 3056	3060	cmd.exe	32
PID 3060 wrote to memory of 3056	3060	cmd.exe	32
PID 3060 wrote to memory of 3056	3060	cmd.exe	32
PID 3060 wrote to memory of 3056	3060	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\be8c168a6dd92ee9cee6722d920dde7e.exe
"C:\Users\Admin\AppData\Local\Temp\be8c168a6dd92ee9cee6722d920dde7e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\wjaw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\xdsfw.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\be8c168a6dd92ee9cee6722d920dde7e.exe"
  2⤵
  - Deletes itself
  PID:352

C:\Users\Admin\AppData\Local\Temp\wjaw.bat

Filesize
124B

MD5
9eaf332297c95d0f5525bd93f0535b80

SHA1
dcae53735fb62cbfadae86b9b6678f30526d714b

SHA256
4732f12a6ae955a8ec5ff67e0bf9375af3ab35c6dcc2a3bcc74b987db028565c

SHA512
f4418d7a9bc456922242e6be8caa22738206bbc3a4bcb65d6a32f3e32e624f50ba0058b0cae16495b92c3379eb2ea50194f1ec343ace8188cb2f6a54a2d46f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsfw.reg

Filesize
402B

MD5
01fb0f78bd547e4e9c56e3787cc6ef24

SHA1
81b988b8f571d9296af97c7490aa2e97ecbdbbc2

SHA256
5464f91a92f4619e24f8bb8a462e2618d38269a0e9bf3fdd8304bad6dcdd6cb5

SHA512
b9523d8f17dfbb2781cd140d15a03ae54a867b352acc016921e80588e6ae0aafbf633908dfd17267a92276bc364db97b9c9f6dd93708d69b835a7d464531cb77

Download Submit
memory/2268-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2268-11-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download