12d5fbff1e80dd9734832239666db3e54ee5f07f03d4c285a04ce69067b96d69

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Hupigon.exe
Size

613KB
MD5

03c4dbf772380a46f0d71795e1ce6bf2
SHA1

8366bc0858d21f07573b08de57d662a2a1a24c51
SHA256

ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b
SHA512

251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351
SSDEEP

12288:jKFa0zkNhGNnoOx7Tz98HtoIUAtF3Z4mxxnDqVTVOCkEXW:jKjkN4iqXzyOmQmX2VTzkn

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3488	twunk_64.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\twunk_64.exe	Backdoor.Win32.Hupigon.exe
File opened for modification	C:\Windows\twunk_64.exe	Backdoor.Win32.Hupigon.exe
File created	C:\Windows\Delete.bat	Backdoor.Win32.Hupigon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3488	twunk_64.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2240	4856	Backdoor.Win32.Hupigon.exe	84
PID 4856 wrote to memory of 2240	4856	Backdoor.Win32.Hupigon.exe	84
PID 4856 wrote to memory of 2240	4856	Backdoor.Win32.Hupigon.exe	84
PID 3488 wrote to memory of 1660	3488	twunk_64.exe	85
PID 3488 wrote to memory of 1660	3488	twunk_64.exe	85

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Hupigon.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Hupigon.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\Delete.bat
  2⤵
  PID:2240

C:\Windows\twunk_64.exe
C:\Windows\twunk_64.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Delete.bat

Filesize
166B

MD5
48b3de545aa164eacb2eb266c381deab

SHA1
aeae04d954b94fcc90c432d3ed00116d846e420e

SHA256
6abee46232fe488bca9dc7f2162bb54b1001fd63f5e19c4cd6ec5ca0591134aa

SHA512
625fd497f9f110f23f1599630a2d372bfd460b46f8d09421a14b0bf03c2648bf126a0c11eb9d3829b2ea04c9e42df2cbf1609875778a7481028d7fdda0728d55

Download Submit
C:\Windows\twunk_64.exe

Filesize
613KB

MD5
03c4dbf772380a46f0d71795e1ce6bf2

SHA1
8366bc0858d21f07573b08de57d662a2a1a24c51

SHA256
ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b

SHA512
251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351

Download Submit
C:\Windows\twunk_64.exe

Filesize
613KB

MD5
03c4dbf772380a46f0d71795e1ce6bf2

SHA1
8366bc0858d21f07573b08de57d662a2a1a24c51

SHA256
ed125acd9eaf97bc0fd455dd4eb257cfa662c4b96024d03678ddb35db035373b

SHA512
251343fd85a4538aee24628a84662badd0d61bf38ffa8d239e21b74043805b18e5ebfd6a71070f8dcb7242ad1bb5456b2f7f50a1ca585e8a308656f88c9e2351

Download Submit
memory/3488-141-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3488-142-0x0000000000EF0000-0x0000000000F44000-memory.dmp

Filesize
336KB

Download
memory/3488-143-0x0000000002020000-0x0000000002120000-memory.dmp

Filesize
1024KB

Download
memory/3488-144-0x0000000002010000-0x0000000002015000-memory.dmp

Filesize
20KB

Download
memory/3488-145-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3488-146-0x0000000002020000-0x0000000002120000-memory.dmp

Filesize
1024KB

Download
memory/4856-135-0x0000000003490000-0x0000000003495000-memory.dmp

Filesize
20KB

Download
memory/4856-134-0x00000000034A0000-0x00000000035A0000-memory.dmp

Filesize
1024KB

Download
memory/4856-139-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4856-133-0x00000000022E0000-0x0000000002334000-memory.dmp

Filesize
336KB

Download
memory/4856-132-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads