672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 09:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe
Size

196KB
MD5

602d9016b0b2e5eb2e76ee54fd2e00c0
SHA1

a0dd0cf7c9ac50b6eb9fc99d4e0095003828a295
SHA256

672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a
SHA512

441d0521a905ba579c661bf040152cb3a960cd884a22ac5ad3984a72de9e706cac4eefed14c6a5f98fefe8a8d4c6685a29e5dc35e6c16e9a877ceffb6f9bd176
SSDEEP

3072:VFEDp9qJBwjC/2EQvR2OlzY75ETQg0/3Y9X33cWRTsuZfT:3o9z2ETQp/YN335RwuZb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2116	hpkeos.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\xhpke\\command	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\xhpke	hpkeos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\xhpke	hpkeos.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4136	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4932	4988	672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe	82
PID 4988 wrote to memory of 4932	4988	672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe	82
PID 4988 wrote to memory of 4932	4988	672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe	82
PID 4932 wrote to memory of 2116	4932	cmd.exe	84
PID 4932 wrote to memory of 2116	4932	cmd.exe	84
PID 4932 wrote to memory of 2116	4932	cmd.exe	84
PID 4932 wrote to memory of 4136	4932	cmd.exe	85
PID 4932 wrote to memory of 4136	4932	cmd.exe	85
PID 4932 wrote to memory of 4136	4932	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe
"C:\Users\Admin\AppData\Local\Temp\672b85f8da0e1097b68e21719f75acfc8b2aa5e946b39c04d56cf214e63e564a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tprexdy.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\hpkeos.exe
    "C:\Users\Admin\AppData\Local\Temp\hpkeos.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2116
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hpkeos.exe

Filesize
148KB

MD5
5959cc636d01a6340fe87226a39628b1

SHA1
590aeabae9ebf437a296c4fa3ea893cbef941b36

SHA256
e3635246f0c51ab3b64b5893e97457154555772d20a5f387c09e167f59517ac5

SHA512
9b4dabcc92323a767eb4e12ba66232a29d962ca968f70755526a1ce293f1eebaad652af31d12699dac3bcf1b070ee4b421e5b836f572395ced30bb9ee6bad718

Download Submit
C:\Users\Admin\AppData\Local\Temp\hpkeos.exe

Filesize
148KB

MD5
5959cc636d01a6340fe87226a39628b1

SHA1
590aeabae9ebf437a296c4fa3ea893cbef941b36

SHA256
e3635246f0c51ab3b64b5893e97457154555772d20a5f387c09e167f59517ac5

SHA512
9b4dabcc92323a767eb4e12ba66232a29d962ca968f70755526a1ce293f1eebaad652af31d12699dac3bcf1b070ee4b421e5b836f572395ced30bb9ee6bad718

Download Submit
C:\Users\Admin\AppData\Local\Temp\tprexdy.bat

Filesize
124B

MD5
f7571fcf9142fa24f9f8226fa5053b29

SHA1
1a970660be4b79dd9a144f1f7e01a1d7d7c1e4e9

SHA256
11501bf557789f7fec346abdd4652f3b0c0769a28c9e36d8a906886d9b6dc10c

SHA512
cf0fb9ec61f4c05eaf6c4bc975b68cad2f0cd976213eaa3b23e7e3b0cf1bfb2e70fd9396dbd5d5e595881208c5656fc7814c754b55b06f4b6fda6891e32b23f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttblhx.bat

Filesize
188B

MD5
63f5c63a47b3d621858b177c67b6d9ec

SHA1
4d167b4ef83f402929b8a0c5a659acc5f65050c0

SHA256
f821b77714d6fc51dde5bb12de1ef96967d64fb14dc2ecdfada167984a9e834c

SHA512
f88070d623f08d68f3f470a50f6500e7b087cc91cb9dbb60fc53b33a3c4f9a59d8fb54f101751d79e5888bcb83abec5326bb9d173c75208dc370bd30fb484626

Download Submit