146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d

Analysis

max time kernel
180s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe
Size

192KB
MD5

254f08572f194f153b9edc9e45a9cb02
SHA1

42adeec00d68b7510f6122bd39363a2dc90703bb
SHA256

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d
SHA512

93b21a0669b3d015b82b9eaaff6d17a46ceb316e8632ef160fe05d335a69bec53ee44cf12745952bae9e8da6c6f5e84d61670d932931edab3e5aa9ea6f86b7e8
SSDEEP

3072:g58A2cm6J/1NfBjGecJOeYq40FXXWnEFsTsuZfI:gKBqR7cJOYdLFswuZg

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hxompw.exe

pid process

2160 hxompw.exe

pid	process
2160	hxompw.exe

Modifies registry class 7 IoCs

Processes:

hxompw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\uhxom	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\uhxom\\command	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	hxompw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\uhxom	hxompw.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1872 PING.EXE

pid	process
1872	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 3960	1704	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 1704 wrote to memory of 3960	1704	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 1704 wrote to memory of 3960	1704	146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe	cmd.exe
PID 3960 wrote to memory of 2160	3960	cmd.exe	hxompw.exe
PID 3960 wrote to memory of 2160	3960	cmd.exe	hxompw.exe
PID 3960 wrote to memory of 2160	3960	cmd.exe	hxompw.exe
PID 3960 wrote to memory of 1872	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 1872	3960	cmd.exe	PING.EXE
PID 3960 wrote to memory of 1872	3960	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe
"C:\Users\Admin\AppData\Local\Temp\146cf4871e59eda2f3760af9b31a18021039e1505064fb89412a16cec412236d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kycxabr.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\hxompw.exe
"C:\Users\Admin\AppData\Local\Temp\hxompw.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hxompw.exe

Filesize
144KB

MD5
7257fce7bc00f12f68b7271eb6e1ef3c

SHA1
5d0b411df4d6c55b21343353b06809ab07376778

SHA256
61f7727b56280dee99ae466aa23843b8e499d4cdc0924f7979b90242b13a2b7b

SHA512
69e29365e60ab61e58fceac608e04747f5536b3077a8a44444d7403d6e4264a667f06bc08c18be249994efdb7830cf4b21ef918ce111529592fc295832b68e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hxompw.exe

Filesize
144KB

MD5
7257fce7bc00f12f68b7271eb6e1ef3c

SHA1
5d0b411df4d6c55b21343353b06809ab07376778

SHA256
61f7727b56280dee99ae466aa23843b8e499d4cdc0924f7979b90242b13a2b7b

SHA512
69e29365e60ab61e58fceac608e04747f5536b3077a8a44444d7403d6e4264a667f06bc08c18be249994efdb7830cf4b21ef918ce111529592fc295832b68e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktlyze.bat

Filesize
188B

MD5
0affaa0996a26b84098e8555f995f1f2

SHA1
3d142044dae6e6dad15ca6968fad0db20b577f33

SHA256
2aad20d4b339ef611688c6e66dab07de1f5617ccf278eea49d479878091fe269

SHA512
15c3bbd3868d79f275ff5542592bb37ea1c1ccb159145a98c5e6325d4e264e99558d0d55b4deaf1c1390ca402fa374977a67e2b45c67730e171bcd07c405d00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kycxabr.bat

Filesize
124B

MD5
c5c10e49fca5ca792268f05f255a134d

SHA1
2399cea0c72b304f57c467c6424930fa2b82d2b8

SHA256
3aae85fbff6a59aefac3640c77cf8c7c44430d4ec7e4deb69e3eac3ee08dda2e

SHA512
02cbc53a721dbfa563386db70daa7c1f2fcfffaeb3d7ee5c5906fa58efd2bfc8a70fd5c3d96252fe24204ed402851251a258cd46731760265a8b9cba34f6b54f

Download Submit
memory/1872-139-0x0000000000000000-mapping.dmp

Download
memory/2160-136-0x0000000000000000-mapping.dmp

Download
memory/3960-133-0x0000000000000000-mapping.dmp

Download