Analysis

  • max time kernel
    52s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2024 15:08

Errors

Reason
Machine shutdown

General

  • Target

    dbedeb6bcf5a905fc9cd3159ecb486a9.exe

  • Size

    244KB

  • MD5

    dbedeb6bcf5a905fc9cd3159ecb486a9

  • SHA1

    48752df112bb4512bc7d2a94eb559278e8c6649d

  • SHA256

    bdc2a05298d45a6eb8383aaa9cdfbc1bdfbd6709d31beee4f67d20820cac626b

  • SHA512

    35ef0965f671232fb7713c723f1f7a3a905c67f51bd00e8de28cbb098d8ef9f71eb0f023033b35ad0098d35ad569e481d596858a3aaf8760e3e103c6906c2ab0

  • SSDEEP

    6144:TLlRodPmZd7T5hmu3eqK2iV2K0mFkfLKi8R+ntnV4:1Rod+Zd7n3O/V2K0mFkfmiA0nV4

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 5 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbedeb6bcf5a905fc9cd3159ecb486a9.exe
    "C:\Users\Admin\AppData\Local\Temp\dbedeb6bcf5a905fc9cd3159ecb486a9.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\jqx.exe
      "C:\Users\Admin\AppData\Local\Temp\jqx.exe"
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1296
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Iprip
    1⤵
    • Sets DLL path for service in the registry
    • Sets service image path in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4748
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39a4855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\jqx.exe

    Filesize

    20KB

    MD5

    f417997432de8f500c7b3e86a3defcc7

    SHA1

    8450126b476688e10dcaec5ca6e4b036929160ed

    SHA256

    599a8a9acae1ddb98e3bd096256dcabc2b620059bd4d1e968b0424dbc9b97f1a

    SHA512

    77f4718bf308680f3f049437a57c4e1603b3d3ce38d51c5c60fd1b7511aedd9175aae207db1911f903365686e8d7d9be457ae0095bb48bb2f5ea9841cb99ddc7

  • C:\Windows\SysWOW64\fsutk.dll

    Filesize

    116KB

    MD5

    be0b4f5b0c11cc5f7b9acaa23f0ca443

    SHA1

    cf99197f1ae49e5ffc35c81b0b0603640d9b0b1a

    SHA256

    70601bb1cbf48a6bd507310ed0f6d21c873c1a320784cbbd82d23d60d3c5f234

    SHA512

    9829c1e6f4dd748bdad6d6a9015c25f601c3ec1a82e00fa791cae09ade6ebc0e2a09ff4bc14cb43857a7ce35807a73f08de7a27519fb04fce80c8dbfef56f52e

  • \??\c:\$Recycle.bin\int.dat

    Filesize

    220KB

    MD5

    4f69d71a0568508730966bdd39b95c95

    SHA1

    878ea7d895ba421cca8bfae1c71698009a847d74

    SHA256

    02b4e1d03e2064b0ebdd4d95cee3287f0d4dc69f373554eadd824c6d3df40331

    SHA512

    d04dfae26f44647636acc087dfb6cd9db479743663db970fa5764b844f98052a549f4614a358a820acc55df75cae3ede9bca4865f739106ab6e501568a16ae99

  • \??\c:\windows\SysWOW64\liprip.dll

    Filesize

    84KB

    MD5

    e942a0f126a283ac5305993d0be0b8f4

    SHA1

    ab77366093838f10879bcab3e7fd0f71ef75afd8

    SHA256

    a4acc2d63fb7f6cd12211a57541f11d391f02cd9ed6ef003d35160d3c6e05104

    SHA512

    7f5155d4b93c1c146c3b19e9a7d6d318d8d827a3d30e41a69ab1edb39670bb4bcf174c3b7ec603c1cd3cbbee6923c30c1f458968a735d1d8cfcd039ed9f51a74

  • memory/4748-17-0x00000000011A0000-0x00000000011C0000-memory.dmp

    Filesize

    128KB