cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03

Analysis

max time kernel
182s
max time network
225s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe
Size

310KB
MD5

22134c7e84748dba7c935835f3054870
SHA1

54c242206feba71d240fb25ad1eb2b4b7f9c7acc
SHA256

cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03
SHA512

0158fab8807ed8ba9ef4558327bb0a0ef059f8dda35bbf4cb6f2cc4f18059e6bc999d2db8b7c8a7322ba42c753a2c08fcdf9e7b33b8afec1c0501581532dfbdb
SSDEEP

6144:xIby2RJXgb/3a9Tb1fUrg4iVNOlwWuag/wGzWaxlk2FO:xDaJXY3MVNauag/pWWk2Y

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1476	hity.exe

Deletes itself 1 IoCs

pid	Process
900	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe
528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	hity.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hity = "C:\\Users\\Admin\\AppData\\Roaming\\Yqys\\hity.exe"	hity.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 528 set thread context of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe
1476	hity.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 1476	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	27
PID 528 wrote to memory of 1476	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	27
PID 528 wrote to memory of 1476	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	27
PID 528 wrote to memory of 1476	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	27
PID 1476 wrote to memory of 1124	1476	hity.exe	16
PID 1476 wrote to memory of 1124	1476	hity.exe	16
PID 1476 wrote to memory of 1124	1476	hity.exe	16
PID 1476 wrote to memory of 1124	1476	hity.exe	16
PID 1476 wrote to memory of 1124	1476	hity.exe	16
PID 1476 wrote to memory of 1176	1476	hity.exe	15
PID 1476 wrote to memory of 1176	1476	hity.exe	15
PID 1476 wrote to memory of 1176	1476	hity.exe	15
PID 1476 wrote to memory of 1176	1476	hity.exe	15
PID 1476 wrote to memory of 1176	1476	hity.exe	15
PID 1476 wrote to memory of 1264	1476	hity.exe	14
PID 1476 wrote to memory of 1264	1476	hity.exe	14
PID 1476 wrote to memory of 1264	1476	hity.exe	14
PID 1476 wrote to memory of 1264	1476	hity.exe	14
PID 1476 wrote to memory of 1264	1476	hity.exe	14
PID 1476 wrote to memory of 528	1476	hity.exe	10
PID 1476 wrote to memory of 528	1476	hity.exe	10
PID 1476 wrote to memory of 528	1476	hity.exe	10
PID 1476 wrote to memory of 528	1476	hity.exe	10
PID 1476 wrote to memory of 528	1476	hity.exe	10
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28
PID 528 wrote to memory of 900	528	cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe	28

C:\Users\Admin\AppData\Local\Temp\cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe
"C:\Users\Admin\AppData\Local\Temp\cd38284b589c28eda3ed506ec1bca61b695084db9ae41d4e7302d754d6adae03.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Roaming\Yqys\hity.exe
  "C:\Users\Admin\AppData\Roaming\Yqys\hity.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\GPR621E.bat"
  2⤵
  - Deletes itself
  PID:900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GPR621E.bat

Filesize
303B

MD5
4151389801568f6f8d8ffce37b90c3d3

SHA1
f232aab45c27142a0242bbbcce5c43d06303960e

SHA256
d9efb299c6f2340790b5fd370b7d59d10fa4355f5f60cc809a985b2a7c4186d1

SHA512
89eafd3e882bd8497e17127577410678e94632472c39cf631a385beb928268f63208bcfea5a7b849fd0eed3de89960558323335e3d169dbc37e2914dbfea5017

Download Submit
C:\Users\Admin\AppData\Roaming\Yqys\hity.exe

Filesize
310KB

MD5
274b4aa4cc78dde6f6794932a3c37465

SHA1
81a3eda25ef554bd2df48dd8d16416ef5ed8b930

SHA256
903c866459d8582133a68245caeeaa64bf93c031706c13b4eba23890c38bd02e

SHA512
ff9bdce7f4b690cc8be688f63a2b61e315b13fcb8becab119f2bbc4bfdad405a15f4a39ca73f5443a4c3d4e46b4a3f23db965af398572c3de8b8b5b42ada8c63

Download Submit
C:\Users\Admin\AppData\Roaming\Yqys\hity.exe

Filesize
310KB

MD5
274b4aa4cc78dde6f6794932a3c37465

SHA1
81a3eda25ef554bd2df48dd8d16416ef5ed8b930

SHA256
903c866459d8582133a68245caeeaa64bf93c031706c13b4eba23890c38bd02e

SHA512
ff9bdce7f4b690cc8be688f63a2b61e315b13fcb8becab119f2bbc4bfdad405a15f4a39ca73f5443a4c3d4e46b4a3f23db965af398572c3de8b8b5b42ada8c63

Download Submit
\Users\Admin\AppData\Roaming\Yqys\hity.exe

Filesize
310KB

MD5
274b4aa4cc78dde6f6794932a3c37465

SHA1
81a3eda25ef554bd2df48dd8d16416ef5ed8b930

SHA256
903c866459d8582133a68245caeeaa64bf93c031706c13b4eba23890c38bd02e

SHA512
ff9bdce7f4b690cc8be688f63a2b61e315b13fcb8becab119f2bbc4bfdad405a15f4a39ca73f5443a4c3d4e46b4a3f23db965af398572c3de8b8b5b42ada8c63

Download Submit
\Users\Admin\AppData\Roaming\Yqys\hity.exe

Filesize
310KB

MD5
274b4aa4cc78dde6f6794932a3c37465

SHA1
81a3eda25ef554bd2df48dd8d16416ef5ed8b930

SHA256
903c866459d8582133a68245caeeaa64bf93c031706c13b4eba23890c38bd02e

SHA512
ff9bdce7f4b690cc8be688f63a2b61e315b13fcb8becab119f2bbc4bfdad405a15f4a39ca73f5443a4c3d4e46b4a3f23db965af398572c3de8b8b5b42ada8c63

Download Submit
memory/528-95-0x0000000000450000-0x00000000004A0000-memory.dmp

Filesize
320KB

Download
memory/528-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/528-104-0x0000000000450000-0x0000000000499000-memory.dmp

Filesize
292KB

Download
memory/528-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/528-85-0x0000000000450000-0x0000000000499000-memory.dmp

Filesize
292KB

Download
memory/528-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/528-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/528-88-0x0000000000450000-0x0000000000499000-memory.dmp

Filesize
292KB

Download
memory/528-87-0x0000000000450000-0x0000000000499000-memory.dmp

Filesize
292KB

Download
memory/528-86-0x0000000000450000-0x0000000000499000-memory.dmp

Filesize
292KB

Download
memory/900-102-0x00000000000D0000-0x0000000000119000-memory.dmp

Filesize
292KB

Download
memory/900-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-114-0x00000000000D0000-0x0000000000119000-memory.dmp

Filesize
292KB

Download
memory/900-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/900-103-0x0000000000103B6A-mapping.dmp

Download
memory/900-101-0x00000000000D0000-0x0000000000119000-memory.dmp

Filesize
292KB

Download
memory/900-100-0x00000000000D0000-0x0000000000119000-memory.dmp

Filesize
292KB

Download
memory/900-98-0x00000000000D0000-0x0000000000119000-memory.dmp

Filesize
292KB

Download
memory/1124-67-0x0000000001E80000-0x0000000001EC9000-memory.dmp

Filesize
292KB

Download
memory/1124-68-0x0000000001E80000-0x0000000001EC9000-memory.dmp

Filesize
292KB

Download
memory/1124-69-0x0000000001E80000-0x0000000001EC9000-memory.dmp

Filesize
292KB

Download
memory/1124-65-0x0000000001E80000-0x0000000001EC9000-memory.dmp

Filesize
292KB

Download
memory/1124-70-0x0000000001E80000-0x0000000001EC9000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1264-81-0x0000000002B60000-0x0000000002BA9000-memory.dmp

Filesize
292KB

Download
memory/1264-79-0x0000000002B60000-0x0000000002BA9000-memory.dmp

Filesize
292KB

Download
memory/1264-80-0x0000000002B60000-0x0000000002BA9000-memory.dmp

Filesize
292KB

Download
memory/1264-82-0x0000000002B60000-0x0000000002BA9000-memory.dmp

Filesize
292KB

Download
memory/1476-62-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1476-59-0x0000000000000000-mapping.dmp

Download