Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe
Resource
win10v2004-20220812-en
General
-
Target
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe
-
Size
141KB
-
MD5
e030ff10bd3693b025b36fb2a6923d44
-
SHA1
3ce3feef6fd20089d6b24cb7920368064f22f220
-
SHA256
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f
-
SHA512
65bc61f6f2ea9ef9cfcaebc7602063246983536eda00a3d86046a6d78b85f050e035b451d88adf1b6b4059aa48d035bbdfabc8e37ed27c63c0487ba6aad43792
-
SSDEEP
3072:4flOchKvRfVBs9fi57z/gaseA8Sl0Wmacf:4HhqRfV6iBDselV9f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 1628 1.exe -
Modifies AppInit DLL entries 2 TTPs
-
Processes:
resource yara_rule C:\Windows\SysWOW64\HIMYM.DLL vmprotect C:\Windows\SysWOW64\HIMYM.DLL vmprotect -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4752 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Disker = "rundll32.exe C:\\Windows\\system32\\HIMYM.DLL,DW" rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
1.exedescription ioc process File created C:\Windows\SysWOW64\HIMYM.DLL 1.exe -
Drops file in Windows directory 1 IoCs
Processes:
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exedescription ioc process File created C:\Windows\system32drivers\etc\hosts 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1.exepid process 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe 1628 1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1.exedescription pid process Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe Token: SeDebugPrivilege 1628 1.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe1.exedescription pid process target process PID 4532 wrote to memory of 1628 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe 1.exe PID 4532 wrote to memory of 1628 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe 1.exe PID 4532 wrote to memory of 1628 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe 1.exe PID 4532 wrote to memory of 1796 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe cmd.exe PID 4532 wrote to memory of 1796 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe cmd.exe PID 4532 wrote to memory of 1796 4532 92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe cmd.exe PID 1628 wrote to memory of 4752 1628 1.exe rundll32.exe PID 1628 wrote to memory of 4752 1628 1.exe rundll32.exe PID 1628 wrote to memory of 4752 1628 1.exe rundll32.exe PID 1628 wrote to memory of 1060 1628 1.exe cmd.exe PID 1628 wrote to memory of 1060 1628 1.exe cmd.exe PID 1628 wrote to memory of 1060 1628 1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe"C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\92b708222922ab33f2ed89bfda8c4fc71fda996896d2e816708adf0f27fed11f.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
80.1MB
MD5e96e48358ba1e75e8d24374416d4cd5e
SHA1623c9f3dd387692c199447171f0d794d48aa5679
SHA2566440142c67356ef12dba13a6bfc27c6da1a2fc906714b518225a29546f5e9a77
SHA512f830d06d0c2351e1c632c95dd107c337ee7fca093961f74b037b3138545f0010f4bad588a69f5d68da6972ae78ce7873db111bf717055bbc1036c7db0d11ce2f
-
C:\Users\Admin\AppData\Local\Temp\1.exeFilesize
80.1MB
MD5e96e48358ba1e75e8d24374416d4cd5e
SHA1623c9f3dd387692c199447171f0d794d48aa5679
SHA2566440142c67356ef12dba13a6bfc27c6da1a2fc906714b518225a29546f5e9a77
SHA512f830d06d0c2351e1c632c95dd107c337ee7fca093961f74b037b3138545f0010f4bad588a69f5d68da6972ae78ce7873db111bf717055bbc1036c7db0d11ce2f
-
C:\Windows\SysWOW64\HIMYM.DLLFilesize
92KB
MD54190846c5202983c636476eac5b979aa
SHA13bcac44ead53c96124f48f10ee1f1c6b568c0488
SHA25665c5c4e9908c5a3ddccbc2ed8073276e37bcfbcfe9aa25843e0789c5d88c7dfb
SHA512d9a621a13195b4958b01e6960b15ee765f811313818a88876a9369a8eccdcd7e66f60c28bd8010d86f1ee9b8109278ef7bba6be4a9a13927cd746b3777adc63b
-
C:\Windows\SysWOW64\HIMYM.DLLFilesize
92KB
MD54190846c5202983c636476eac5b979aa
SHA13bcac44ead53c96124f48f10ee1f1c6b568c0488
SHA25665c5c4e9908c5a3ddccbc2ed8073276e37bcfbcfe9aa25843e0789c5d88c7dfb
SHA512d9a621a13195b4958b01e6960b15ee765f811313818a88876a9369a8eccdcd7e66f60c28bd8010d86f1ee9b8109278ef7bba6be4a9a13927cd746b3777adc63b
-
memory/1060-143-0x0000000000000000-mapping.dmp
-
memory/1628-138-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1628-132-0x0000000000000000-mapping.dmp
-
memory/1628-139-0x000000000C260000-0x000000000C29A000-memory.dmpFilesize
232KB
-
memory/1628-137-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1628-136-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1628-144-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1796-134-0x0000000000000000-mapping.dmp
-
memory/4752-140-0x0000000000000000-mapping.dmp