18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe
Size

149KB
MD5

81fb93642f59e4bb53d7b2f0fab0bf90
SHA1

ad83f040266b7ae86d9b248ddbf435cd5cc39f2b
SHA256

18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179
SHA512

bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd
SSDEEP

3072:Y6CtXQtHE9f5f9b2a5hvYeeV/KqhX/uSKBq17pDDAoDMvbv5de6pDEL00:BCtXO6fjYhy0X/u617FDCvje6uLF

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2296	hgwormlt.exe
3112	czorwvm.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe
2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe
2296	hgwormlt.exe
2296	hgwormlt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interactive Tunneling Files Scheduler Windows = "C:\\Users\\Admin\\AppData\\Roaming\\btagmxph\\hgwormlt.exe"	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
3112	czorwvm.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe
3112	czorwvm.exe
3112	czorwvm.exe
3112	czorwvm.exe
3112	czorwvm.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
2296	hgwormlt.exe
3112	czorwvm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2296	2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe	28
PID 2012 wrote to memory of 2296	2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe	28
PID 2012 wrote to memory of 2296	2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe	28
PID 2012 wrote to memory of 2296	2012	18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe	28
PID 2296 wrote to memory of 3112	2296	hgwormlt.exe	29
PID 2296 wrote to memory of 3112	2296	hgwormlt.exe	29
PID 2296 wrote to memory of 3112	2296	hgwormlt.exe	29
PID 2296 wrote to memory of 3112	2296	hgwormlt.exe	29

C:\Users\Admin\AppData\Local\Temp\18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe
"C:\Users\Admin\AppData\Local\Temp\18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe
  "C:\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Roaming\btagmxph\czorwvm.exe
    WATCHDOGPROC "C:\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\btagmxph\czorwvm.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
C:\Users\Admin\AppData\Roaming\btagmxph\czorwvm.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
C:\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
C:\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
\Users\Admin\AppData\Roaming\btagmxph\czorwvm.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
\Users\Admin\AppData\Roaming\btagmxph\czorwvm.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
\Users\Admin\AppData\Roaming\btagmxph\hgwormlt.exe

Filesize
149KB

MD5
81fb93642f59e4bb53d7b2f0fab0bf90

SHA1
ad83f040266b7ae86d9b248ddbf435cd5cc39f2b

SHA256
18b25bdf2ea96fb0fc5b56cfac385556bbaccf3e5382bc15dd1db4feea415179

SHA512
bc34c7d14444b29d0d167472b8b68658bd10fc2a5fe56d8e352ef0326528cbbfa471f66321f147f789b508e2b9f3585fafe1581fbc748ccbda4a0775baf154fd

Download Submit
memory/2296-56-0x0000000000000000-mapping.dmp

Download
memory/3112-61-0x0000000000000000-mapping.dmp

Download