68599aed1a59ea181bd317a0ac5ec38b57c2537c4ef3ef606708576bf87036c7

General

Target

vnhgf.exe
Size

300.0MB
MD5

a5335343971e56e6ff268dcfe8774ae9
SHA1

25c8a25b5c1dd7913e4447dd15056afd52d95c4a
SHA256

1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734
SHA512

8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

hggfyu.exehggfyu.exehggfyu.exehggfyu.exe

pid process

1752 hggfyu.exe
1388 hggfyu.exe
2320 hggfyu.exe
4592 hggfyu.exe

pid	process
1752	hggfyu.exe
1388	hggfyu.exe
2320	hggfyu.exe
4592	hggfyu.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1496-135-0x0000000000F10000-0x00000000012F4000-memory.dmp	upx
behavioral2/memory/1496-136-0x0000000000F10000-0x00000000012F4000-memory.dmp	upx
behavioral2/memory/1388-149-0x00000000009B0000-0x0000000000D94000-memory.dmp	upx
behavioral2/memory/1388-150-0x00000000009B0000-0x0000000000D94000-memory.dmp	upx
behavioral2/memory/4592-158-0x0000000000790000-0x0000000000B74000-memory.dmp	upx
behavioral2/memory/4592-159-0x0000000000790000-0x0000000000B74000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

description	pid	process	target process
PID 3360 set thread context of 1496	3360	vnhgf.exe	vnhgf.exe
PID 1752 set thread context of 1388	1752	hggfyu.exe	hggfyu.exe
PID 2320 set thread context of 4592	2320	hggfyu.exe	hggfyu.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
220	1496	WerFault.exe	vnhgf.exe
3888	1388	WerFault.exe	hggfyu.exe
4004	1388	WerFault.exe	hggfyu.exe
2092	4592	WerFault.exe	hggfyu.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3280 schtasks.exe
4780 schtasks.exe
3172 schtasks.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vnhgf.exehggfyu.exehggfyu.exe

description pid process

Token: SeDebugPrivilege 3360 vnhgf.exe
Token: SeDebugPrivilege 1752 hggfyu.exe
Token: SeDebugPrivilege 2320 hggfyu.exe

pid	process
3280	schtasks.exe
4780	schtasks.exe
3172	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3360	vnhgf.exe
Token: SeDebugPrivilege	1752	hggfyu.exe
Token: SeDebugPrivilege	2320	hggfyu.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

vnhgf.execmd.exehggfyu.execmd.exehggfyu.exehggfyu.execmd.exe

description	pid	process	target process
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1496	3360	vnhgf.exe	vnhgf.exe
PID 3360 wrote to memory of 1324	3360	vnhgf.exe	cmd.exe
PID 3360 wrote to memory of 1324	3360	vnhgf.exe	cmd.exe
PID 3360 wrote to memory of 1324	3360	vnhgf.exe	cmd.exe
PID 1324 wrote to memory of 3280	1324	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 3280	1324	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 3280	1324	cmd.exe	schtasks.exe
PID 3360 wrote to memory of 4000	3360	vnhgf.exe	cmd.exe
PID 3360 wrote to memory of 4000	3360	vnhgf.exe	cmd.exe
PID 3360 wrote to memory of 4000	3360	vnhgf.exe	cmd.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 1388	1752	hggfyu.exe	hggfyu.exe
PID 1752 wrote to memory of 3536	1752	hggfyu.exe	cmd.exe
PID 1752 wrote to memory of 3536	1752	hggfyu.exe	cmd.exe
PID 1752 wrote to memory of 3536	1752	hggfyu.exe	cmd.exe
PID 3536 wrote to memory of 4780	3536	cmd.exe	schtasks.exe
PID 3536 wrote to memory of 4780	3536	cmd.exe	schtasks.exe
PID 3536 wrote to memory of 4780	3536	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 4952	1752	hggfyu.exe	cmd.exe
PID 1752 wrote to memory of 4952	1752	hggfyu.exe	cmd.exe
PID 1752 wrote to memory of 4952	1752	hggfyu.exe	cmd.exe
PID 1388 wrote to memory of 4004	1388	hggfyu.exe	WerFault.exe
PID 1388 wrote to memory of 4004	1388	hggfyu.exe	WerFault.exe
PID 1388 wrote to memory of 4004	1388	hggfyu.exe	WerFault.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 4592	2320	hggfyu.exe	hggfyu.exe
PID 2320 wrote to memory of 1112	2320	hggfyu.exe	cmd.exe
PID 2320 wrote to memory of 1112	2320	hggfyu.exe	cmd.exe
PID 2320 wrote to memory of 1112	2320	hggfyu.exe	cmd.exe
PID 1112 wrote to memory of 3172	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 3172	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 3172	1112	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\vnhgf.exe
"C:\Users\Admin\AppData\Local\Temp\vnhgf.exe"
2⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 188
3⤵
- Program crash
PID:220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3280

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\vnhgf.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1496 -ip 1496
1⤵
PID:5024

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 188
3⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 188
3⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe" "C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1388 -ip 1388
1⤵
PID:4684

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
"C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe"
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 188
3⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4592 -ip 4592
1⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hggfyu.exe.log
Filesize
612B

MD5
2a9d08fe8550d5c1bd2234a9bba5f499

SHA1
002f0e108e5b1141f507b7e6851b6778a749e223

SHA256
af40b88a9082d1a47f6339d384de9a1936fca4bf8013826bbae4606c988713dd

SHA512
7a0e924ac0209566d7bd63529a9732bd87b4981209bcd7038df61fa9990768d6a7882a18067cd6f1dd5c034f835ca6f0c3da2c6d78ff822165e2027f5d86aedf

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
300.0MB

MD5
a5335343971e56e6ff268dcfe8774ae9

SHA1
25c8a25b5c1dd7913e4447dd15056afd52d95c4a

SHA256
1a66d08dd756f9fe6f3e936fb3b7c245d46b267c2512c997df86030e9d634734

SHA512
8ef2c8eff3ea1c26fd5c202aaad0fb6e6c2f895b791e47422aa7a34b879633d531d43328767b82df977ad53528d21359897f701c0e8d1018ca935c353aa91ca4

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
296.0MB

MD5
7b7309b8fa7690c6e809ee8fcad144d4

SHA1
3805acf0624ef37299503165d4ad7847286d99c4

SHA256
d62438f28afbb73d023938649db3d9ac9caac670b466f6e047dfa41e9eb53da1

SHA512
a7589d06636ea2b2b5078644486dfec8ef04f1ac05c1611a3820a05f977efabfab4dd3b8886847ec80f39f8c25402d243e9ea3ce063ed8bc710da90c7a19ea23

Download Submit
C:\Users\Admin\AppData\Roaming\hggfyu\hggfyu.exe
Filesize
56.7MB

MD5
1f99bb80013bae0653190b9f50985246

SHA1
c3c86eb23b07fbfef1ff170c6eeff4252bba0e46

SHA256
fbb3736fe3b3ba7a4b3516f6bb2c89e8df5520738d5bf0b8063512d820de9f29

SHA512
8c8e3c59d1c332bd0ba8bdaf7b87dbdd75914d7472aa31b521d1dfcf55ed29fa4468c87634c859af9f6e87fd7269b89d5b491388f57cf2b20b772e548ba9911b

Download Submit
memory/1112-160-0x0000000000000000-mapping.dmp

Download
memory/1324-137-0x0000000000000000-mapping.dmp

Download
memory/1388-143-0x0000000000000000-mapping.dmp

Download
memory/1388-150-0x00000000009B0000-0x0000000000D94000-memory.dmp

Filesize
3.9MB

Download
memory/1388-149-0x00000000009B0000-0x0000000000D94000-memory.dmp

Filesize
3.9MB

Download
memory/1496-135-0x0000000000F10000-0x00000000012F4000-memory.dmp

Filesize
3.9MB

Download
memory/1496-136-0x0000000000F10000-0x00000000012F4000-memory.dmp

Filesize
3.9MB

Download
memory/1496-133-0x0000000000000000-mapping.dmp

Download
memory/1752-142-0x0000000000200000-0x00000000003C2000-memory.dmp

Filesize
1.8MB

Download
memory/2320-154-0x0000000000200000-0x00000000003C2000-memory.dmp

Filesize
1.8MB

Download
memory/3172-161-0x0000000000000000-mapping.dmp

Download
memory/3280-138-0x0000000000000000-mapping.dmp

Download
memory/3360-130-0x0000000000D40000-0x0000000000F02000-memory.dmp

Filesize
1.8MB

Download
memory/3360-132-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/3360-131-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/3536-146-0x0000000000000000-mapping.dmp

Download
memory/4000-139-0x0000000000000000-mapping.dmp

Download
memory/4004-151-0x0000000000000000-mapping.dmp

Download
memory/4592-155-0x0000000000000000-mapping.dmp

Download
memory/4592-158-0x0000000000790000-0x0000000000B74000-memory.dmp

Filesize
3.9MB

Download
memory/4592-159-0x0000000000790000-0x0000000000B74000-memory.dmp

Filesize
3.9MB

Download
memory/4780-147-0x0000000000000000-mapping.dmp

Download
memory/4952-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads