ce589606bf1a345a4da05fa8b77f7856fcdac416838934fef265cf4e2bbe613f

General

Target

c167c5b15455128938f11b7aad2dc6a9.exe
Size

193KB
MD5

c167c5b15455128938f11b7aad2dc6a9
SHA1

8111830458ea30549900e02f56b4a8d071f0e681
SHA256

ce589606bf1a345a4da05fa8b77f7856fcdac416838934fef265cf4e2bbe613f
SHA512

f5839f44ce43a7634ca6055ae11c68c8f1b00921766b4682892464977cdbf0af269e000a548bf8430e97a9b81bd0ce61d2b3a6ff4f7bec3434b95da4428969be
SSDEEP

3072:nB33q4v9ztRPX7iNOOM1/qs4cmdyof/G69QYfcD6DdHZepN:nJ5zPLiUOM1ZsnGxScDodspN

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2980	c167c5b15455128938f11b7aad2dc6a9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	c167c5b15455128938f11b7aad2dc6a9.exe
File created	C:\Windows\help\EB6C4499B05F.dll	c167c5b15455128938f11b7aad2dc6a9.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	c167c5b15455128938f11b7aad2dc6a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	c167c5b15455128938f11b7aad2dc6a9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	c167c5b15455128938f11b7aad2dc6a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	c167c5b15455128938f11b7aad2dc6a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	c167c5b15455128938f11b7aad2dc6a9.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2980	c167c5b15455128938f11b7aad2dc6a9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2276	2980	c167c5b15455128938f11b7aad2dc6a9.exe	28
PID 2980 wrote to memory of 2276	2980	c167c5b15455128938f11b7aad2dc6a9.exe	28
PID 2980 wrote to memory of 2276	2980	c167c5b15455128938f11b7aad2dc6a9.exe	28
PID 2980 wrote to memory of 2276	2980	c167c5b15455128938f11b7aad2dc6a9.exe	28
PID 2980 wrote to memory of 2484	2980	c167c5b15455128938f11b7aad2dc6a9.exe	30
PID 2980 wrote to memory of 2484	2980	c167c5b15455128938f11b7aad2dc6a9.exe	30
PID 2980 wrote to memory of 2484	2980	c167c5b15455128938f11b7aad2dc6a9.exe	30
PID 2980 wrote to memory of 2484	2980	c167c5b15455128938f11b7aad2dc6a9.exe	30

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
4a2fa693a7dd9763901122c8647e26c1

SHA1
b59d92fea57248cdd7cc1a7ac284a3c0fe432509

SHA256
72dd77d674a0db3ea75e134946208bb3758cb6ab160386ddc48a4b3ac29619b0

SHA512
4739c052067baf8e18aed086dbe8bb5d47c0a39dd685c51c6c6541d9c3d2e47c48e97a3862463c76b3ba04a75ae81b78e74c1448f186eebe8220d5e4b7126dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
320168bbd71467e4f08abedb35a7d661

SHA1
93e76e6bb93b0e8b168c2d83dff9771c89dbbd99

SHA256
cdf2571fb22863b1f27dcbbb6b7c285b0bcf7df8115c52402c555c1e90e97571

SHA512
d93f009ae696d79839e4dde4f20038423982fcf2c2996607c28a2c8c6b4f21f120a94816c6bbc653e29528684db93b003a87e5e57c041146179803bf918d1ee0

Download Submit
\Windows\Help\EB6C4499B05F.dll

Filesize
135KB

MD5
f87c374e4c9f1968b58b9d691e4807b8

SHA1
b2fcb56c37d49f6ee8362bc3d8ef3fccf124a431

SHA256
6f856d7db45fc1577205db11b1c1b26bd8e622bd15652dd636477a3ee6bfcb4c

SHA512
a11f598d1b3d55ee8d1359c927fb233a3c884b7c13eb44c47ff52d45d5ced9960d390a469f53732542720a8e70009950b12831c22bd8b6e7399cd047c43b165a

Download Submit
memory/2980-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2980-21-0x0000000000340000-0x0000000000397000-memory.dmp

Filesize
348KB

Download
memory/2980-22-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2980-23-0x0000000000340000-0x0000000000397000-memory.dmp

Filesize
348KB

Download