5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c

General

Target

5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe
Size

680KB
MD5

bc7f80814ad63a035fbf8e0b67b02155
SHA1

a7d76dd02b12bb250f9f42101fda1fa235154710
SHA256

5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c
SHA512

ac336b61ad93d51e68784350d59d56d08ac947426c3570ed7f0dfbbbdfce24bd0c495c6f626d3edeb8de47a0f0a3a09701b33b78dbb7a7a1e0b1cd32f8d0991a
SSDEEP

6144:nSiQrg69p5Ozn2zdCQ2I8EXAOteqM+Z4q6NHnfmDZET62KGUXtkJwov56hL:eBIzn2zd6EX6qM+Z4qufG6/PUyJw+A

Score

5^/10

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1148	4760	WerFault.exe	87

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1892	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4624	4760	5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe	88
PID 4760 wrote to memory of 4624	4760	5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe	88
PID 4760 wrote to memory of 4624	4760	5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe	88

C:\Users\Admin\AppData\Local\Temp\5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe
"C:\Users\Admin\AppData\Local\Temp\5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe
  "C:\Users\Admin\AppData\Local\Temp\5cd0759c1e566b6e74ef3f29a49a34a08ded2dc44408fccd41b5a9845573a34c.exe"
  2⤵
  PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 400
  2⤵
  - Program crash
  PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
1⤵
PID:3924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

memory/1892-56-0x000001BE935C0000-0x000001BE935C1000-memory.dmp

Filesize
4KB

Download
memory/1892-60-0x000001BE93700000-0x000001BE93701000-memory.dmp

Filesize
4KB

Download
memory/1892-59-0x000001BE935F0000-0x000001BE935F1000-memory.dmp

Filesize
4KB

Download
memory/1892-58-0x000001BE935F0000-0x000001BE935F1000-memory.dmp

Filesize
4KB

Download
memory/3100-18-0x0000028FB7A60000-0x0000028FB7A61000-memory.dmp

Filesize
4KB

Download
memory/3100-16-0x0000028FB7A60000-0x0000028FB7A61000-memory.dmp

Filesize
4KB

Download
memory/3100-19-0x0000028FB7B00000-0x0000028FB7B01000-memory.dmp

Filesize
4KB

Download
memory/3100-20-0x0000028FB7B00000-0x0000028FB7B01000-memory.dmp

Filesize
4KB

Download
memory/3100-21-0x0000028FB7B00000-0x0000028FB7B01000-memory.dmp

Filesize
4KB

Download
memory/3100-22-0x0000028FB7B00000-0x0000028FB7B01000-memory.dmp

Filesize
4KB

Download
memory/3100-14-0x0000028FB79E0000-0x0000028FB79E1000-memory.dmp

Filesize
4KB

Download
memory/3100-7-0x0000028FAEDA0000-0x0000028FAEDB0000-memory.dmp

Filesize
64KB

Download
memory/3100-3-0x0000028FAED50000-0x0000028FAED60000-memory.dmp

Filesize
64KB

Download
memory/4760-1-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/4760-2-0x00000000022A0000-0x00000000022A2000-memory.dmp

Filesize
8KB

Download