5d68e1ff0d98f188e9e7e636f0e6e42ea91f942c5915eb6440e7947e279aba5a

Analysis

max time kernel
160s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 23:51

Target

c9f334f9a21ceccb4f94ddbce94899b7.exe
Size

81KB
MD5

c9f334f9a21ceccb4f94ddbce94899b7
SHA1

227b7f48ce89d223efbadbc04eba4bddd1b4bdc2
SHA256

5d68e1ff0d98f188e9e7e636f0e6e42ea91f942c5915eb6440e7947e279aba5a
SHA512

fff5d29488b3c805cb2ef505063862ac80974177409222ffb9a4b4948a7ef4d3902daa0c20b852296c3c318f30efa48b708d5848e6c4f785d46505ddca494d0f
SSDEEP

1536:k3ETklD7ylBCNkrKgUfJZ6iFn3S89xO/bBnHP1tSFWWHwawOz:cEIp7yTak+Zf+swFnv4WraX

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\face.exe	c9f334f9a21ceccb4f94ddbce94899b7.exe
File opened for modification	C:\Windows\SysWOW64\face.exe	c9f334f9a21ceccb4f94ddbce94899b7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system\face32.dll	c9f334f9a21ceccb4f94ddbce94899b7.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02D83959-FAB9-4FCA-9A14-B71E4C1753F1}\InProcServer32\ = "C:\\Windows\\system\\face32.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02D83959-FAB9-4FCA-9A14-B71E4C1753F1}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02D83959-FAB9-4FCA-9A14-B71E4C1753F1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02D83959-FAB9-4FCA-9A14-B71E4C1753F1}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{02D83959-FAB9-4FCA-9A14-B71E4C1753F1}\InProcServer32	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3980	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3488	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	90
PID 1144 wrote to memory of 3488	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	90
PID 1144 wrote to memory of 3488	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	90
PID 1144 wrote to memory of 3268	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	91
PID 1144 wrote to memory of 3268	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	91
PID 1144 wrote to memory of 3268	1144	c9f334f9a21ceccb4f94ddbce94899b7.exe	91
PID 3488 wrote to memory of 3980	3488	cmd.exe	94
PID 3488 wrote to memory of 3980	3488	cmd.exe	94
PID 3488 wrote to memory of 3980	3488	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\c9f334f9a21ceccb4f94ddbce94899b7.exe
"C:\Users\Admin\AppData\Local\Temp\c9f334f9a21ceccb4f94ddbce94899b7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\reg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\bat.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\c9f334f9a21ceccb4f94ddbce94899b7.exe"
  2⤵
  PID:3268

C:\Users\Admin\AppData\Local\Temp\bat.reg

Filesize
403B

MD5
15c1203e7d472d6f897f828684f7682e

SHA1
2af30dc81c6059c56f33d0669a4fdc3fb61948cb

SHA256
40135ae6eff9255bf8d1b2961b11767e0c929a43ddd100ff88e8b1a55ac5914a

SHA512
6c01ff34365a0b4104c42ee66439ce27c84318951aa4365b1a8636dc631689f019f8abc099d15a1d066b6f3c0c2e8ff3219dcad75f582911bd217fe8bc2b7a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\reg.bat

Filesize
120B

MD5
0c6ef591c17de2f53026416007ec3027

SHA1
c0b9226629c964a1a305aa2cd503f4a9e7adfa6c

SHA256
e13c1f03163c10a47171fabf9a59d80dbf706d7f0970345dc1bffd1cd30bc87a

SHA512
2a32782b9f843c74fd9d7a37da06f27c85ac9dea53654a6e105deffa47a0ce9d309303abab6fe9a023e04b237d69bf7afe9c9ad3557d3f0e2ca4f3625525d06d

Download Submit
memory/1144-0-0x0000000000400000-0x0000000000441018-memory.dmp

Filesize
260KB

Download
memory/1144-1-0x0000000000400000-0x0000000000441018-memory.dmp

Filesize
260KB

Download
memory/1144-2-0x0000000000400000-0x0000000000441018-memory.dmp

Filesize
260KB

Download
memory/1144-8-0x0000000000400000-0x0000000000441018-memory.dmp

Filesize
260KB

Download