Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2022, 23:36

Errors

Reason
Machine shutdown

General

  • Target

    5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe

  • Size

    244KB

  • MD5

    4741f3c291f48e4355983f4c202dbcb5

  • SHA1

    49f5df0cbcc827aa114be3fc269fa3feb600547e

  • SHA256

    5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c

  • SHA512

    748412ac4c6423f4b2f9806e8485131d34416fadf0b6238b64ea5576943754dfa36496647a826349af01a6f1798fd5b7e56381d6b6599a6f114c5cbcb0f59c05

  • SSDEEP

    6144:2LD1gvcfPbnFTEYEKNuZAlKUsut/m7pbprqcTBwSki3TmyM:K2gbnFAYEKEZAlKUFJiHXBwS3TQ

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 5 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe
    "C:\Users\Admin\AppData\Local\Temp\5816ea15122f215645469fd809973a07c914ffd3a6032a92206ab06bb2ef711c.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Users\Admin\AppData\Local\Temp\hov.exe
      "C:\Users\Admin\AppData\Local\Temp\hov.exe"
      2⤵
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2496
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Iprip
    1⤵
    • Sets DLL path for service in the registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4224
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3981855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2252

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\hov.exe

          Filesize

          20KB

          MD5

          6deadc8b2023da2254381fad0da17f9e

          SHA1

          c4c75c13813775311dd0abde4e6e8425e980040e

          SHA256

          30efcb6689550e1a0a4afee34c9e6ea54f552eb8dd63cbaf7adab08e95141c82

          SHA512

          1cb8c77ed0a30683c04376ab3bee41cf045ed3dc87474c1c3e0fd66b488c4ef59ebd01e141bd8fc10695fca55b9bf067b7c2799b9689251a70c810e68be8bfeb

        • C:\Users\Admin\AppData\Local\Temp\hov.exe

          Filesize

          20KB

          MD5

          6deadc8b2023da2254381fad0da17f9e

          SHA1

          c4c75c13813775311dd0abde4e6e8425e980040e

          SHA256

          30efcb6689550e1a0a4afee34c9e6ea54f552eb8dd63cbaf7adab08e95141c82

          SHA512

          1cb8c77ed0a30683c04376ab3bee41cf045ed3dc87474c1c3e0fd66b488c4ef59ebd01e141bd8fc10695fca55b9bf067b7c2799b9689251a70c810e68be8bfeb

        • C:\Windows\SysWOW64\fsutk.dll

          Filesize

          116KB

          MD5

          ccebb21549fedbfa11f319198bc43803

          SHA1

          f822321ca4cb8821fd038c77827c5ea38ebac6e2

          SHA256

          1db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0

          SHA512

          837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4

        • C:\Windows\SysWOW64\fsutk.dll

          Filesize

          116KB

          MD5

          ccebb21549fedbfa11f319198bc43803

          SHA1

          f822321ca4cb8821fd038c77827c5ea38ebac6e2

          SHA256

          1db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0

          SHA512

          837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4

        • C:\Windows\SysWOW64\fsutk.dll

          Filesize

          116KB

          MD5

          ccebb21549fedbfa11f319198bc43803

          SHA1

          f822321ca4cb8821fd038c77827c5ea38ebac6e2

          SHA256

          1db2265a0bbdc02821f226b88ad0bdcf176c9ba4607397a135453937a82bbcf0

          SHA512

          837dd6ff69b07f20d12a7881f3e39b5b0cb0deba34b9044ecc86d6eaf01eda5ce9bce62d025bc73d19d05a26204dcc6e4bf911fb75854f77f7451e166a3600f4

        • C:\Windows\SysWOW64\liprip.dll

          Filesize

          84KB

          MD5

          9be1ab312e62a55c52e924169886be5a

          SHA1

          02c884978e94ce1dd49a4a923954ec17652eba36

          SHA256

          984867ab146f62d99ec9a0dac2968ace26445aedbe11d3406aec9d6030d9d271

          SHA512

          c82eb0912096e21f41cbb572c9c8437bbeb9e9cfe4e3d26bf1005e1ef38dbeeb2f068dd61252d370e99e9ca609f6f61adee64d23ceb8dd0ae0c1723a1b714c44

        • \??\c:\$Recycle.bin\int.dat

          Filesize

          220KB

          MD5

          3f2d9177b63985de4e274a996b0e069b

          SHA1

          9f33179f4c5f1a3e2298a3f29098e0665b42f1f0

          SHA256

          f4698a8d995e79a68360663d8f7cddd8fabdd3164ac075e93c7125b2de4e406b

          SHA512

          793b34a9d72387470335a1957d1fa57fcf143aa1d1a0e3e5bbc02fecb51014a2478ebcc966b5c83803c6bcdef62a63e9998c9ff7b1bced677928ef743f2ba4ec

        • \??\c:\windows\SysWOW64\liprip.dll

          Filesize

          84KB

          MD5

          9be1ab312e62a55c52e924169886be5a

          SHA1

          02c884978e94ce1dd49a4a923954ec17652eba36

          SHA256

          984867ab146f62d99ec9a0dac2968ace26445aedbe11d3406aec9d6030d9d271

          SHA512

          c82eb0912096e21f41cbb572c9c8437bbeb9e9cfe4e3d26bf1005e1ef38dbeeb2f068dd61252d370e99e9ca609f6f61adee64d23ceb8dd0ae0c1723a1b714c44

        • memory/4224-142-0x0000000000FE0000-0x0000000001000000-memory.dmp

          Filesize

          128KB