Analysis
-
max time kernel
477s -
max time network
510s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
28-09-2021 18:53
Static task
static1
Behavioral task
behavioral1
Sample
hypoc.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
hypoc.exe
Resource
win10-en-20210920
General
-
Target
hypoc.exe
-
Size
104KB
-
MD5
916c42dbafbbaa9d7f5208494710c354
-
SHA1
952c4314cadc08ca01a1227e999f645c12760aeb
-
SHA256
5eab33aa65a63135b926cad2766fd657c092c2704cc5155462d119053285cda8
-
SHA512
0d95757ba0bacc5bd43a58048afb66c74b07d5252ce99e78efa0f1fbe7da4baa3e5e3adf1d53422ba9225a3ea1a2a40a1083fed69b6220132d28bf8f840fef61
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
hypoc.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe hypoc.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Afstig2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\muml\\hypoc.exe" ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
hypoc.exeieinstal.exepid process 1648 hypoc.exe 1328 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hypoc.exedescription pid process target process PID 1648 set thread context of 1328 1648 hypoc.exe ieinstal.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1596 1328 WerFault.exe ieinstal.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1596 WerFault.exe 1596 WerFault.exe 1596 WerFault.exe 1596 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1596 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hypoc.exepid process 1648 hypoc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1596 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
hypoc.exepid process 1648 hypoc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
hypoc.exeieinstal.exedescription pid process target process PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1648 wrote to memory of 1328 1648 hypoc.exe ieinstal.exe PID 1328 wrote to memory of 1596 1328 ieinstal.exe WerFault.exe PID 1328 wrote to memory of 1596 1328 ieinstal.exe WerFault.exe PID 1328 wrote to memory of 1596 1328 ieinstal.exe WerFault.exe PID 1328 wrote to memory of 1596 1328 ieinstal.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hypoc.exe"C:\Users\Admin\AppData\Local\Temp\hypoc.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\hypoc.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 5803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1328-65-0x0000000000110000-0x0000000000210000-memory.dmpFilesize
1024KB
-
memory/1328-66-0x0000000000110000-mapping.dmp
-
memory/1328-72-0x0000000077650000-0x00000000777F9000-memory.dmpFilesize
1.7MB
-
memory/1328-73-0x0000000077840000-0x0000000077916000-memory.dmpFilesize
856KB
-
memory/1596-74-0x0000000000000000-mapping.dmp
-
memory/1596-75-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1648-62-0x0000000000240000-0x000000000024F000-memory.dmpFilesize
60KB
-
memory/1648-64-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1648-67-0x0000000077650000-0x00000000777F9000-memory.dmpFilesize
1.7MB
-
memory/1648-68-0x0000000077830000-0x00000000779B0000-memory.dmpFilesize
1.5MB
-
memory/1648-69-0x0000000077840000-0x0000000077916000-memory.dmpFilesize
856KB