68599aed1a59ea181bd317a0ac5ec38b57c2537c4ef3ef606708576bf87036c7

General

Target

vnhgf.exe
Size

300.0MB
MD5

a5335343971e56e6ff268dcfe8774ae9
SHA1

25c8a25b5c1dd7913e4447dd15056afd52d95c4a
SHA256

1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734
SHA512

8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

hggfyu.exehggfyu.exehggfyu.exehggfyu.exe

pid process

3936 hggfyu.exe
3636 hggfyu.exe
3740 hggfyu.exe
5044 hggfyu.exe

pid	process
3936	hggfyu.exe
3636	hggfyu.exe
3740	hggfyu.exe
5044	hggfyu.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/888-135-0x0000000001160000-0x0000000001544000-memory.dmp	upx
behavioral2/memory/888-136-0x0000000001160000-0x0000000001544000-memory.dmp	upx
behavioral2/memory/3636-146-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/3636-147-0x0000000000B00000-0x0000000000EE4000-memory.dmp	upx
behavioral2/memory/5044-157-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx
behavioral2/memory/5044-158-0x0000000000900000-0x0000000000CE4000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

description	pid	process	target process
PID 2224 set thread context of 888	2224	vnhgf.exe	vnhgf.exe
PID 3936 set thread context of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3740 set thread context of 5044	3740	hggfyu.exe	hggfyu.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

488 888 WerFault.exe vnhgf.exe
4056 3636 WerFault.exe hggfyu.exe
2972 5044 WerFault.exe hggfyu.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4616 schtasks.exe
1896 schtasks.exe
2036 schtasks.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

description pid process

Token: SeDebugPrivilege 2224 vnhgf.exe
Token: SeDebugPrivilege 3936 hggfyu.exe
Token: SeDebugPrivilege 3740 hggfyu.exe

pid	pid_target	process	target process
488	888	WerFault.exe	vnhgf.exe
4056	3636	WerFault.exe	hggfyu.exe
2972	5044	WerFault.exe	hggfyu.exe

pid	process
4616	schtasks.exe
1896	schtasks.exe
2036	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2224	vnhgf.exe
Token: SeDebugPrivilege	3936	hggfyu.exe
Token: SeDebugPrivilege	3740	hggfyu.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

vnhgf.execmd.exehggfyu.execmd.exehggfyu.execmd.exe

description	pid	process	target process
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 888	2224	vnhgf.exe	vnhgf.exe
PID 2224 wrote to memory of 3524	2224	vnhgf.exe	cmd.exe
PID 2224 wrote to memory of 3524	2224	vnhgf.exe	cmd.exe
PID 2224 wrote to memory of 3524	2224	vnhgf.exe	cmd.exe
PID 3524 wrote to memory of 2036	3524	cmd.exe	schtasks.exe
PID 3524 wrote to memory of 2036	3524	cmd.exe	schtasks.exe
PID 3524 wrote to memory of 2036	3524	cmd.exe	schtasks.exe
PID 2224 wrote to memory of 3600	2224	vnhgf.exe	cmd.exe
PID 2224 wrote to memory of 3600	2224	vnhgf.exe	cmd.exe
PID 2224 wrote to memory of 3600	2224	vnhgf.exe	cmd.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 3636	3936	hggfyu.exe	hggfyu.exe
PID 3936 wrote to memory of 4768	3936	hggfyu.exe	cmd.exe
PID 3936 wrote to memory of 4768	3936	hggfyu.exe	cmd.exe
PID 3936 wrote to memory of 4768	3936	hggfyu.exe	cmd.exe
PID 4768 wrote to memory of 4616	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 4616	4768	cmd.exe	schtasks.exe
PID 4768 wrote to memory of 4616	4768	cmd.exe	schtasks.exe
PID 3936 wrote to memory of 4648	3936	hggfyu.exe	cmd.exe
PID 3936 wrote to memory of 4648	3936	hggfyu.exe	cmd.exe
PID 3936 wrote to memory of 4648	3936	hggfyu.exe	cmd.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 5044	3740	hggfyu.exe	hggfyu.exe
PID 3740 wrote to memory of 4792	3740	hggfyu.exe	cmd.exe
PID 3740 wrote to memory of 4792	3740	hggfyu.exe	cmd.exe
PID 3740 wrote to memory of 4792	3740	hggfyu.exe	cmd.exe
PID 4792 wrote to memory of 1896	4792	cmd.exe	schtasks.exe
PID 4792 wrote to memory of 1896	4792	cmd.exe	schtasks.exe
PID 4792 wrote to memory of 1896	4792	cmd.exe	schtasks.exe
PID 3740 wrote to memory of 3576	3740	hggfyu.exe	cmd.exe
PID 3740 wrote to memory of 3576	3740	hggfyu.exe	cmd.exe
PID 3740 wrote to memory of 3576	3740	hggfyu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
2⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 188
3⤵
- Program crash
PID:488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vnhgf.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 888 -ip 888
1⤵
PID:1500

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 188
3⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3636 -ip 3636
1⤵
PID:4776

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
- Executes dropped EXE
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 188
3⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5044 -ip 5044
1⤵
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hggfyu.exe.log
Filesize
612B

MD5
2a9d08fe8550d5c1bd2234a9bba5f499

SHA1
002f0e108e5b1141f507b7e6851b6778a749e223

SHA256
af40b88a9082d1a47f6339d384de9a1936fca4bf8013826bbae4606c988713dd

SHA512
7a0e924ac0209566d7bd63529a9732bd87b4981209bcd7038df61fa9990768d6a7882a18067cd6f1dd5c034f835ca6f0c3da2c6d78ff822165e2027f5d86aedf

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
memory/888-133-0x0000000000000000-mapping.dmp

Download
memory/888-135-0x0000000001160000-0x0000000001544000-memory.dmp

Filesize
3.9MB

Download
memory/888-136-0x0000000001160000-0x0000000001544000-memory.dmp

Filesize
3.9MB

Download
memory/1896-159-0x0000000000000000-mapping.dmp

Download
memory/2036-138-0x0000000000000000-mapping.dmp

Download
memory/2224-130-0x0000000000610000-0x00000000007D2000-memory.dmp

Filesize
1.8MB

Download
memory/2224-132-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/2224-131-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/3524-137-0x0000000000000000-mapping.dmp

Download
memory/3576-160-0x0000000000000000-mapping.dmp

Download
memory/3600-139-0x0000000000000000-mapping.dmp

Download
memory/3636-146-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/3636-147-0x0000000000B00000-0x0000000000EE4000-memory.dmp

Filesize
3.9MB

Download
memory/3636-143-0x0000000000000000-mapping.dmp

Download
memory/3936-142-0x0000000000300000-0x00000000004C2000-memory.dmp

Filesize
1.8MB

Download
memory/4616-149-0x0000000000000000-mapping.dmp

Download
memory/4648-150-0x0000000000000000-mapping.dmp

Download
memory/4768-148-0x0000000000000000-mapping.dmp

Download
memory/4792-156-0x0000000000000000-mapping.dmp

Download
memory/5044-153-0x0000000000000000-mapping.dmp

Download
memory/5044-157-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download
memory/5044-158-0x0000000000900000-0x0000000000CE4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads