9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75

General

Target

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
Size

300KB
MD5

28654dae9f561d825d2c74d8a7af4614
SHA1

168a3b4d725a963ebe6147abfd37fbe9857f0847
SHA256

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75
SHA512

16ad3d96af5c89bde4d8d9103334f8bd7ebd3b6b1f571090be42548b989f91d0f51411078193d690abbd68de57d1f3706c30c095d5c8898706fd6ceb6d054728
SSDEEP

6144:/xuq3rsRMNU10sfsaM7+j5kxZKoKlfO2vr:f8snLxZ7Ef

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

homuw.exehomuw.exe

pid process

888 homuw.exe
1684 homuw.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1096 cmd.exe

pid	process
888	homuw.exe
1684	homuw.exe

pid	process
1096	cmd.exe

Loads dropped DLL 3 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exehomuw.exe

pid	process
760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
888	homuw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

homuw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	homuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Homuw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Byhuy\\homuw.exe"	homuw.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exehomuw.exe

description	pid	process	target process
PID 1220 set thread context of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 888 set thread context of 1684	888	homuw.exe	homuw.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exehomuw.exe

pid	process
760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe
1684	homuw.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exehomuw.exehomuw.exe

description	pid	process	target process
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 1220 wrote to memory of 760	1220	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
PID 760 wrote to memory of 888	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	homuw.exe
PID 760 wrote to memory of 888	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	homuw.exe
PID 760 wrote to memory of 888	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	homuw.exe
PID 760 wrote to memory of 888	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 888 wrote to memory of 1684	888	homuw.exe	homuw.exe
PID 760 wrote to memory of 1096	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 760 wrote to memory of 1096	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 760 wrote to memory of 1096	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 760 wrote to memory of 1096	760	9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe	cmd.exe
PID 1684 wrote to memory of 1132	1684	homuw.exe	taskhost.exe
PID 1684 wrote to memory of 1132	1684	homuw.exe	taskhost.exe
PID 1684 wrote to memory of 1132	1684	homuw.exe	taskhost.exe
PID 1684 wrote to memory of 1132	1684	homuw.exe	taskhost.exe
PID 1684 wrote to memory of 1132	1684	homuw.exe	taskhost.exe
PID 1684 wrote to memory of 1228	1684	homuw.exe	Dwm.exe
PID 1684 wrote to memory of 1228	1684	homuw.exe	Dwm.exe
PID 1684 wrote to memory of 1228	1684	homuw.exe	Dwm.exe
PID 1684 wrote to memory of 1228	1684	homuw.exe	Dwm.exe
PID 1684 wrote to memory of 1228	1684	homuw.exe	Dwm.exe
PID 1684 wrote to memory of 1296	1684	homuw.exe	Explorer.EXE
PID 1684 wrote to memory of 1296	1684	homuw.exe	Explorer.EXE
PID 1684 wrote to memory of 1296	1684	homuw.exe	Explorer.EXE
PID 1684 wrote to memory of 1296	1684	homuw.exe	Explorer.EXE
PID 1684 wrote to memory of 1296	1684	homuw.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
"C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe
"C:\Users\Admin\AppData\Local\Temp\9f202cf5e15101c5a7e05280ad4dc86092b4036dcbbd8dd144e58c4115638e75.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
"C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
"C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKD46D4.bat"
4⤵
- Deletes itself
PID:1096

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1228

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKD46D4.bat
Filesize
282B

MD5
da220326025f194ede4d02597de9631d

SHA1
335bf842ec919149c955fdb2c66c1c7c25bb2563

SHA256
8524d7b3d900f23f4959e3090b3f476891f2790d1db2d10a978a4fa9ac1d3813

SHA512
ff154087f8d040be2e9f2c50255da6ea784e741dbec211c2465070282f95043e7327bddb1792af1944ad6dd81ba251ac5f45d67aa37f21edfa6096ba818858ad

Download Submit
\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
\Users\Admin\AppData\Local\Temp\Byhuy\homuw.exe
Filesize
300KB

MD5
23e4ed5f8ea49c25f2f018e83ee80e45

SHA1
9d19da12086a8c03bac332bd94fb9768332c954f

SHA256
7b1af96a30ac059384fb0a3b9d4b9feb45f88fb1ea97eee50933cfb684674737

SHA512
519b9027eb0bc424cba29a50b813a89227ecd8d56d3ae25e9bf663f0fb58d672de79cf9b7ee2b39e1c0452beadd7e3058d529b8fe3fe5ff23688c5d552f507be

Download Submit
memory/760-65-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-92-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-69-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-70-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-64-0x0000000001158BFE-mapping.dmp

Download
memory/760-57-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/760-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/888-73-0x0000000000000000-mapping.dmp

Download
memory/888-89-0x0000000074990000-0x0000000074F3B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-94-0x0000000000000000-mapping.dmp

Download
memory/1132-100-0x0000000001EE0000-0x0000000001F22000-memory.dmp

Filesize
264KB

Download
memory/1132-101-0x0000000001EE0000-0x0000000001F22000-memory.dmp

Filesize
264KB

Download
memory/1132-98-0x0000000001EE0000-0x0000000001F22000-memory.dmp

Filesize
264KB

Download
memory/1132-99-0x0000000001EE0000-0x0000000001F22000-memory.dmp

Filesize
264KB

Download
memory/1220-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1220-66-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1220-55-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-104-0x0000000001C50000-0x0000000001C92000-memory.dmp

Filesize
264KB

Download
memory/1228-105-0x0000000001C50000-0x0000000001C92000-memory.dmp

Filesize
264KB

Download
memory/1228-106-0x0000000001C50000-0x0000000001C92000-memory.dmp

Filesize
264KB

Download
memory/1228-107-0x0000000001C50000-0x0000000001C92000-memory.dmp

Filesize
264KB

Download
memory/1296-110-0x0000000002650000-0x0000000002692000-memory.dmp

Filesize
264KB

Download
memory/1296-111-0x0000000002650000-0x0000000002692000-memory.dmp

Filesize
264KB

Download
memory/1296-112-0x0000000002650000-0x0000000002692000-memory.dmp

Filesize
264KB

Download
memory/1296-113-0x0000000002650000-0x0000000002692000-memory.dmp

Filesize
264KB

Download
memory/1684-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1684-86-0x0000000001138BFE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads