f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe
Size

1.4MB
MD5

6d93e74fe9a8a70fff38b93a674f9ac0
SHA1

7863ebe4a14d46dff5c1985db249972d13178f05
SHA256

f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465
SHA512

fff01e3e4ca9ecd72545469fdb0f1f27f0bf14d80af07af7789003e711445ad8d022ba424927ecf7617e5375564a8bcb6c6e2b910c79762ee88ac9214dd02c85
SSDEEP

24576:YW/MfHeQFPao3rtVvGmfO4RcCHCTr4WH4y6b5rBwun5Sd5wC2c+Z08Cz/M:YqyPaIqmfO4SCHGr4WYy69rBwOUdFD+m

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1712	FileHunter.exe
1176	pumpa.exe

Loads dropped DLL 9 IoCs

pid	Process
1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe
1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1176	pumpa.exe
1176	pumpa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\FileHunter Check for updates = "C:\\Users\\Admin\\AppData\\Roaming\\FileHunter\\update.exe"	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe
1712	FileHunter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1712	FileHunter.exe
1712	FileHunter.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1764 wrote to memory of 1712	1764	f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe	28
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30
PID 1712 wrote to memory of 1176	1712	FileHunter.exe	30

C:\Users\Admin\AppData\Local\Temp\f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe
"C:\Users\Admin\AppData\Local\Temp\f7ddaa3b1fb3dfd04c5b8944c3626ad9d09d7a94fee3ab384e5c2b7e14bd4465.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe
  "C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe" ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe
    "C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
1.6MB

MD5
1a27c69c97c465f53c4b620f2afff9d0

SHA1
6add8e452bfdaea8a6d4db87c624c45230e4142b

SHA256
3120e0e8398d70261ca56a36724980a535ea911807dbeeb5f1515db52c691e44

SHA512
abdd16e98e6e0cb0d621229ea91e604aca1edbf6ba4cab73538abb514ee4585ca9c33b443601fd18ee8ce14a14bef7bbbb9ed45773e619d9b305a477d52007ef

Download Submit
memory/1764-54-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download