Analysis
-
max time kernel
116s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 18:43
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Hupigon.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Hupigon.exe
Resource
win10v2004-20220901-en
General
-
Target
Backdoor.Win32.Hupigon.exe
-
Size
613KB
-
MD5
03c4dbf772380a46f0d71795e1ce6bf2
-
SHA1
8366bc0858d21f07573b08de57d662a2a1a24c51
-
SHA256
ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b
-
SHA512
251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351
-
SSDEEP
12288:jKFa0zkNhGNnoOx7Tz98HtoIUAtF3Z4mxxnDqVTVOCkEXW:jKjkN4iqXzyOmQmX2VTzkn
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1788 twunk_64.exe -
Deletes itself 1 IoCs
pid Process 1704 cmd.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\twunk_64.exe Backdoor.Win32.Hupigon.exe File created C:\Windows\Delete.bat Backdoor.Win32.Hupigon.exe File created C:\Windows\twunk_64.exe Backdoor.Win32.Hupigon.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm twunk_64.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\System twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties twunk_64.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties twunk_64.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1788 twunk_64.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1720 1788 twunk_64.exe 28 PID 1788 wrote to memory of 1720 1788 twunk_64.exe 28 PID 1788 wrote to memory of 1720 1788 twunk_64.exe 28 PID 1788 wrote to memory of 1720 1788 twunk_64.exe 28 PID 1060 wrote to memory of 1704 1060 Backdoor.Win32.Hupigon.exe 29 PID 1060 wrote to memory of 1704 1060 Backdoor.Win32.Hupigon.exe 29 PID 1060 wrote to memory of 1704 1060 Backdoor.Win32.Hupigon.exe 29 PID 1060 wrote to memory of 1704 1060 Backdoor.Win32.Hupigon.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Hupigon.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Hupigon.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\Delete.bat2⤵
- Deletes itself
PID:1704
-
-
C:\Windows\twunk_64.exeC:\Windows\twunk_64.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵PID:1720
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x40c1⤵PID:1496
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
166B
MD548b3de545aa164eacb2eb266c381deab
SHA1aeae04d954b94fcc90c432d3ed00116d846e420e
SHA2566abee46232fe488bca9dc7f2162bb54b1001fd63f5e19c4cd6ec5ca0591134aa
SHA512625fd497f9f110f23f1599630a2d372bfd460b46f8d09421a14b0bf03c2648bf126a0c11eb9d3829b2ea04c9e42df2cbf1609875778a7481028d7fdda0728d55
-
Filesize
613KB
MD503c4dbf772380a46f0d71795e1ce6bf2
SHA18366bc0858d21f07573b08de57d662a2a1a24c51
SHA256ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b
SHA512251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351
-
Filesize
613KB
MD503c4dbf772380a46f0d71795e1ce6bf2
SHA18366bc0858d21f07573b08de57d662a2a1a24c51
SHA256ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b
SHA512251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351