745f47f6e21826a567a1a0269ce3c2931e00c4097e3b21f8fb4b2dec398e6350

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 12:06

Target

ce05bf537742d193cedc18cc5be552b5.exe
Size

128KB
MD5

ce05bf537742d193cedc18cc5be552b5
SHA1

3c861e82bb4dbc0c3f939b3073301e61ff38435c
SHA256

745f47f6e21826a567a1a0269ce3c2931e00c4097e3b21f8fb4b2dec398e6350
SHA512

a9e00aae523cf4c2ac06796034bed1c8c700ab750b689ecbe5b10cb490615a925bee8c1624456b08f145a48b918e23e464ba6c7ace4744d8d18dff2580457443
SSDEEP

3072:ktbkcrvXcEXDrReJHgqjJk+agSTcGe6WJVP3ItWo/fiNp:E5r/ccv+Ig4cGeTbP3GWo/K

Score

5^/10

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\helpme.exe	ce05bf537742d193cedc18cc5be552b5.exe
File opened for modification	C:\Windows\SysWOW64\helpme.exe	ce05bf537742d193cedc18cc5be552b5.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Debug\winhlp.dll	ce05bf537742d193cedc18cc5be552b5.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\ = "url"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B00FA89-7C1A-41F1-AF62-C7FF0D3B96A7}\InProcServer32\ = "C:\\Windows\\Debug\\winhlp.dll"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3132	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 3768	1268	ce05bf537742d193cedc18cc5be552b5.exe	98
PID 1268 wrote to memory of 3768	1268	ce05bf537742d193cedc18cc5be552b5.exe	98
PID 1268 wrote to memory of 3768	1268	ce05bf537742d193cedc18cc5be552b5.exe	98
PID 1268 wrote to memory of 4516	1268	ce05bf537742d193cedc18cc5be552b5.exe	100
PID 1268 wrote to memory of 4516	1268	ce05bf537742d193cedc18cc5be552b5.exe	100
PID 1268 wrote to memory of 4516	1268	ce05bf537742d193cedc18cc5be552b5.exe	100
PID 3768 wrote to memory of 3132	3768	cmd.exe	103
PID 3768 wrote to memory of 3132	3768	cmd.exe	103
PID 3768 wrote to memory of 3132	3768	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\ce05bf537742d193cedc18cc5be552b5.exe
"C:\Users\Admin\AppData\Local\Temp\ce05bf537742d193cedc18cc5be552b5.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wjaw.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\xdsfw.reg
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c erase /F "C:\Users\Admin\AppData\Local\Temp\ce05bf537742d193cedc18cc5be552b5.exe"
  2⤵
  PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\wjaw.bat

Filesize
124B

MD5
9eaf332297c95d0f5525bd93f0535b80

SHA1
dcae53735fb62cbfadae86b9b6678f30526d714b

SHA256
4732f12a6ae955a8ec5ff67e0bf9375af3ab35c6dcc2a3bcc74b987db028565c

SHA512
f4418d7a9bc456922242e6be8caa22738206bbc3a4bcb65d6a32f3e32e624f50ba0058b0cae16495b92c3379eb2ea50194f1ec343ace8188cb2f6a54a2d46f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdsfw.reg

Filesize
402B

MD5
bb338472ef0e2e25a20506b43e2d9d9a

SHA1
b22dd7c9b1d524f771aafc8b0b8a6bdccc8bec30

SHA256
963088b4fb19b383ebc4408b3778ce04b34fd628d24720e8fbe28d8bc2bc3434

SHA512
eb16785a2ea6e16fd8b158284911398796f91d8f5532f367951f54e1379d016ac4e2bb3106102a98d7efd43eee8dde70e49761360f0131e747b6e7fdf42a4843

Download Submit
memory/1268-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-1-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-2-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1268-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download