7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
Size

1.6MB
MD5

f35b9877a19542a4aa4f6e4a146b9dc3
SHA1

a73990fc6ba90f359d9bf5c2bbfe50637256e58d
SHA256

7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5
SHA512

669e6a7e9c44120b6be2e1c36d72f2da7f888180eb374d12ad7565c0fb24a854c310cede21b2b96c496c94dd7cd8fe506ca694c20b7c394d7e04440df4bafba8
SSDEEP

49152:wfkjGIBKkTMGqp7cTdFgRHzYYNgb7R3AEWzR:wfoTTM5sYNgpQEWR

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	tp.exe
1924	WinHlkk32.exe

Loads dropped DLL 4 IoCs

pid	Process
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1952	tp.exe
1952	tp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHlkk32.exe	tp.exe
File opened for modification	C:\Windows\SysWOW64\WinHlkk32.exe	tp.exe
File created	C:\Windows\SysWOW64\WinHlkk32.exe	WinHlkk32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs

pid	Process
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	tp.exe
Token: SeIncBasePriorityPrivilege	1924	WinHlkk32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1952	1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe	28
PID 1776 wrote to memory of 1952	1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe	28
PID 1776 wrote to memory of 1952	1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe	28
PID 1776 wrote to memory of 1952	1776	7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe	28
PID 1952 wrote to memory of 1924	1952	tp.exe	29
PID 1952 wrote to memory of 1924	1952	tp.exe	29
PID 1952 wrote to memory of 1924	1952	tp.exe	29
PID 1952 wrote to memory of 1924	1952	tp.exe	29
PID 1952 wrote to memory of 1076	1952	tp.exe	30
PID 1952 wrote to memory of 1076	1952	tp.exe	30
PID 1952 wrote to memory of 1076	1952	tp.exe	30
PID 1952 wrote to memory of 1076	1952	tp.exe	30
PID 1924 wrote to memory of 1832	1924	WinHlkk32.exe	31
PID 1924 wrote to memory of 1832	1924	WinHlkk32.exe	31
PID 1924 wrote to memory of 1832	1924	WinHlkk32.exe	31
PID 1924 wrote to memory of 1832	1924	WinHlkk32.exe	31

C:\Users\Admin\AppData\Local\Temp\7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe
"C:\Users\Admin\AppData\Local\Temp\7cd9cb76ba65668c1eed5808a93deebd56fbb129f915f81490dd59073ca6d2b5.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\tp.exe
  C:\Users\Admin\AppData\Local\Temp\\tp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\WinHlkk32.exe
    "C:\Windows\system32\WinHlkk32.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\WINHLK~1.EXE > nul
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\tp.exe > nul
    3⤵
    PID:1076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tp.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tp.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
C:\Windows\SysWOW64\WinHlkk32.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
C:\Windows\SysWOW64\WinHlkk32.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
\Users\Admin\AppData\Local\Temp\tp.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
\Users\Admin\AppData\Local\Temp\tp.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
\Windows\SysWOW64\WinHlkk32.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
\Windows\SysWOW64\WinHlkk32.exe

Filesize
20KB

MD5
b7669463a17ffe8d82cba0ad91ec508e

SHA1
9bc48dc43d93e3e74231e03e927421e6a299433b

SHA256
1a9b438c8da84e6883f4b5cbf5d7d45330c8dc24d3999d4a9f8bdad963dc5294

SHA512
f15cb7b069b92ee143674bd5f7893228b1a09bdb46ab4d59427d812e77e277d24cb7b47243b3345cf7ffd11719c312309dd478897975f38f5abbfe43a44ad09f

Download Submit
memory/1076-5296-0x0000000000000000-mapping.dmp

Download
memory/1776-502-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-5282-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1776-463-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-467-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-470-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-472-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-471-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-469-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-468-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-488-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-487-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-486-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-549-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1776-522-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-521-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-520-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-519-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-518-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-517-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-516-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-515-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-514-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-513-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-512-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-511-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-510-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-509-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-508-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-507-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-497-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-505-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-504-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-503-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-466-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-495-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-500-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-499-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-498-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-506-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-464-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-501-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-494-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-493-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-492-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-491-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-490-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-489-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-485-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-484-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-483-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-482-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-481-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-480-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-479-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-478-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-477-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-476-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-475-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-473-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-474-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-1332-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-1333-0x0000000002130000-0x00000000022B1000-memory.dmp

Filesize
1.5MB

Download
memory/1776-2893-0x00000000023E7000-0x00000000023E9000-memory.dmp

Filesize
8KB

Download
memory/1776-2891-0x00000000023E7000-0x00000000023E9000-memory.dmp

Filesize
8KB

Download
memory/1776-3633-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-4120-0x0000000001F00000-0x0000000002000000-memory.dmp

Filesize
1024KB

Download
memory/1776-496-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-5283-0x00000000022C0000-0x00000000023C1000-memory.dmp

Filesize
1.0MB

Download
memory/1776-465-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-5284-0x00000000023E7000-0x00000000023E9000-memory.dmp

Filesize
8KB

Download
memory/1776-5300-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1776-462-0x00000000023E0000-0x00000000024F1000-memory.dmp

Filesize
1.1MB

Download
memory/1776-56-0x0000000075450000-0x0000000075497000-memory.dmp

Filesize
284KB

Download
memory/1776-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1776-5299-0x0000000001F00000-0x0000000002000000-memory.dmp

Filesize
1024KB

Download
memory/1832-5298-0x0000000000000000-mapping.dmp

Download
memory/1924-5293-0x0000000000000000-mapping.dmp

Download
memory/1952-5287-0x0000000000000000-mapping.dmp

Download