db9f204ba53123f31f8f2a5dc265d41138d617ea43e4225e10dfb46dc6af3de6

General

Target

c9d45ada40c007ed34a6dcce6f37448e.exe
Size

134KB
MD5

c9d45ada40c007ed34a6dcce6f37448e
SHA1

7fed442ec5441fb817b5988581064da5dc432cee
SHA256

db9f204ba53123f31f8f2a5dc265d41138d617ea43e4225e10dfb46dc6af3de6
SHA512

734bbdd8bd8c037820a729036c7c81271f034ec95a6b3da04a7694bb5d02ee1fb3e08f454887358b7b23a6407f11f8a53d93d7e4e122283e488f0fa57d439aef
SSDEEP

3072:55DFqRK3+2jzpOscYgcvoItOHX32/SD775i4Ed8SuXjcnEjAGSp:55DQRaPpOpYgcQItO3GKD77quzRd

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2244	c9d45ada40c007ed34a6dcce6f37448e.exe
2244	c9d45ada40c007ed34a6dcce6f37448e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	c9d45ada40c007ed34a6dcce6f37448e.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	c9d45ada40c007ed34a6dcce6f37448e.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	c9d45ada40c007ed34a6dcce6f37448e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	c9d45ada40c007ed34a6dcce6f37448e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	c9d45ada40c007ed34a6dcce6f37448e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	c9d45ada40c007ed34a6dcce6f37448e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	c9d45ada40c007ed34a6dcce6f37448e.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeBackupPrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe
Token: SeRestorePrivilege	2244	c9d45ada40c007ed34a6dcce6f37448e.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2244	c9d45ada40c007ed34a6dcce6f37448e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1772	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	86
PID 2244 wrote to memory of 1772	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	86
PID 2244 wrote to memory of 1772	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	86
PID 2244 wrote to memory of 2624	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	102
PID 2244 wrote to memory of 2624	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	102
PID 2244 wrote to memory of 2624	2244	c9d45ada40c007ed34a6dcce6f37448e.exe	102

C:\Users\Admin\AppData\Local\Temp\c9d45ada40c007ed34a6dcce6f37448e.exe
"C:\Users\Admin\AppData\Local\Temp\c9d45ada40c007ed34a6dcce6f37448e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
8bf05e05f336eaece5820a8d6a850d01

SHA1
7ca8dc82d7e3d1d1c50c73e7722617133e5e1a13

SHA256
693f6629a1449ed26bc39eb71ab582e0a3adb8dd4c9c5b7b20e796e0cce6d868

SHA512
187d56d5869b46792a82da218616277c3edbdc062ffd0935111a637fad8b551adc297769ede9d50703dcf7c4c87520d66ec0923ed26cd44d3edb3dd5b1377e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
46b3eb3d03b410be610e3517d3d1808f

SHA1
7ff65c69e90bf4332c7312f94ff2dc07d83d1f27

SHA256
aeb024374117ce621bc0ac2135f68cf01ef3f20ed524c93d2c2d53ef6f1da5dc

SHA512
3fe10d7092b4a475f86d0be2a9695d357bb322047fcb15cdadbd7b1e92813ee71da942f49b24c2410f1c14f6a29560c50143cb9f15ea722f7e9bdca6bc211843

Download Submit
C:\Windows\Help\EB6C4499B05F.dll

Filesize
122KB

MD5
d77c9f2f2324c33fd09d92daf73b7dfc

SHA1
15eaf5c8d11612b582f8d04925221457b482ad5b

SHA256
1ba8d0b99c91a7866bfb8bf8635efbb1097db84b9d95ccdbea6dfd61253cfc1a

SHA512
75f720f29a022c5071ec853e0cf10b0d1055c41831afd93f314f398f33c79e738d35394c24bdb32164abadb8668ba0735c5c4536db93ef5f4ae7aabc74a9c18f

Download Submit
memory/2244-16-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/2244-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2244-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2244-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2244-17-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download
memory/2244-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2244-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2244-20-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2244-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2244-23-0x0000000000710000-0x0000000000764000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing