71213be1116e5ace654ee4071e3f2c83e0a39fd0efe0246b1659b9520f31f2b6 | Triage

Analysis

max time kernel
29s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 07:31

Sharing

Report Analysis Logs

General

Target

hyword/hyword/hytalk.chm
Size

712KB
MD5

27c1af48ea00ccefa5b6858e4c9cafae
SHA1

3b40a8a04e2b528a10ac440144ea7d399cf9e8ca
SHA256

37a7a2f318b9afa773bc058f20588a086e2762d175ab1845f74c9b0b296f9494
SHA512

f790af11b930267f365dbf667137295762bf8c429505e54bc33a8930215485ab6dd15f3f899be51b1bfe5aedabc3b95becf49e0cec2f9465889b8a560726a29a
SSDEEP

12288:DaftjZSU2ZdSojKvbamRzMQkac0XKqh9jiktrF7pBsVYm:DaTSULmKTamRgt0X1Ljp7Fm

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

hh.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main hh.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

hh.exe

pid process

1220 hh.exe
1220 hh.exe

C:\Windows\hh.exe
"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\hyword\hyword\hytalk.chm
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-54-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download
memory/1220-69-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download