Overview

overview

9

Static

static

9

hyword/hyw...TS.dll

windows7-x64

1

hyword/hyw...TS.dll

windows10-2004-x64

8

hyword/hyw...ch.msi

windows7-x64

8

hyword/hyw...ch.msi

windows10-2004-x64

8

hyword/hyw...hm.dll

windows7-x64

6

hyword/hyw...hm.dll

windows10-2004-x64

6

hyword/hyw...HS.dll

windows7-x64

1

hyword/hyw...HS.dll

windows10-2004-x64

1

hyword/hyw...ce.dll

windows7-x64

1

hyword/hyw...ce.dll

windows10-2004-x64

1

hyword/hyw...lc.exe

windows7-x64

1

hyword/hyw...lc.exe

windows10-2004-x64

1

hyword/hyw...lc.exe

windows7-x64

1

hyword/hyw...lc.exe

windows10-2004-x64

7

hyword/hyw...ut.exe

windows7-x64

3

hyword/hyw...ut.exe

windows10-2004-x64

7

hyword/hyw...lk.chm

windows7-x64

1

hyword/hyw...lk.chm

windows10-2004-x64

1

hyword/hyw...lk.dll

windows7-x64

1

hyword/hyw...lk.dll

windows10-2004-x64

1

hyword/hyw...rd.exe

windows7-x64

3

hyword/hyw...rd.exe

windows10-2004-x64

7

hyword/hyword/lpk.dll

windows7-x64

8

hyword/hyword/lpk.dll

windows10-2004-x64

8

hyword/hyw...60.dll

windows7-x64

1

hyword/hyw...60.dll

windows10-2004-x64

1

hyword/hyw...fc.dll

windows7-x64

8

hyword/hyw...fc.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hyword/hyword/hyinput.exe

  • Size

    76KB

  • MD5

    d017597920e6db7e9e31296a8f654ed2

  • SHA1

    9250c0aa7ee5da68a72f529da2455fdbb7874b80

  • SHA256

    05ff92e5422b5a150bd254a8e9a917e0503ec11ca3219cff7f4c4c982f8e918b

  • SHA512

    c3ef62e1e68ba00955f1e5de9828fd00dde332e0946d598cbd8ae6a31854bd78f79cb5a6395d4653e3d50652d2171319e10b643741d27edc77fd6bda3edf644b

  • SSDEEP

    1536:oJNVrI2W3Oh4dDgFpTS+oD6LZlglddasJEZOC8TOPO5lp0Ustkznh489AaJEGV:oG2AOh3F1po8Tyd1JRC8QGltstEy8Oat

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hyword\hyword\hyinput.exe
    "C:\Users\Admin\AppData\Local\Temp\hyword\hyword\hyinput.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\Speech\Common\sapisvr.exe
      "C:\Windows\Speech\Common\sapisvr.exe" -SpeechApp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe
        "C:\Windows\system32\Speech\SpeechUX\SpeechUXWiz.exe" UserEnrollment,en-US,HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\RecoProfiles\Tokens\{395F4005-F9F2-4B94-A9E2-ED7D869C0F0A},65552,0,""
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4952
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500 0x41c
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_4CC00D43FD14419A979CECD5D14A6CB7.dat
    Filesize

    940B

    MD5

    4be166fd3b3d349bcea5d862adb30276

    SHA1

    6be64b67fb7ef52ef0c975ca9d3f6b2776885c63

    SHA256

    98214431c606befde4b70aa88e07279193dd77879bd0be33f0999a84e5e5bb61

    SHA512

    91f03fe3f01f9f4053bf11090705caf6fd82fc884d6c91bfa640daca72a094c717570fbbcfc9e85d09bbf78dfea7eb2db609f2cd3fd43ae3d361b1ed2308a1cb

    Download Submit

  • memory/1080-132-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1080-135-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/1080-137-0x0000000011000000-0x000000001105C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1080-141-0x0000000011000000-0x000000001105C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1080-142-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1080-143-0x0000000010000000-0x00000000100A5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/2200-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4952-139-0x0000000000000000-mapping.dmp

    Download