ce5e37fe2bf143ea8af75a9e409ba534908e94b95fa1977ba5b74451267a5a71 | Triage

Analysis

max time kernel
225s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 15:25

Sharing

Report Analysis Logs

General

Target

pss10r.chm
Size

392KB
MD5

56427f0a59b3143217906b2d2ca54c22
SHA1

217bbbf2e8fdbd931e2f9a187ec7acc5d6df4240
SHA256

6186cb37b4f79af5ba3cfae14e6cac77890b9ad5c1ecdaf5c586f1d4a18fb736
SHA512

43f549658ac009435899fa83180e29f07480dd3845a62515d9903762d61d81e4bfed7d7b1a85b177b22b37b5fdb9821e7144dd97fcda65f458b1a3814b56641f
SSDEEP

6144:mWDGvSvzMJP0MFNZQFsI5w3IohQsEuzzH1Skh3j/A4FCR4CKK3xhkio:mQGabxkvqw3BAeH1SkdIyazHhkD

Score

1^/10

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hh.exe

pid process

1188 hh.exe
1188 hh.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

hh.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 5100	1188	hh.exe	cmd.exe
PID 1188 wrote to memory of 5100	1188	hh.exe	cmd.exe
PID 5100 wrote to memory of 1492	5100	cmd.exe	mshta.exe
PID 5100 wrote to memory of 1492	5100	cmd.exe	mshta.exe

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\pss10r.chm
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start/min mshta %CD%\pss10r.chm
2⤵
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\system32\mshta.exe
mshta C:\Users\Admin\AppData\Local\Temp\pss10r.chm
3⤵
PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1492-134-0x0000000000000000-mapping.dmp

Download
memory/5100-133-0x0000000000000000-mapping.dmp

Download