1acac0450b056619427e2ccac80017c3f1c38d87a17b0315ae77dc951c047ddd

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe
Size

16KB
MD5

d4eca188d213d90c414998395060bdd3
SHA1

6231612240cad7dd2776fc5e8b7eacdcf70ca421
SHA256

1acac0450b056619427e2ccac80017c3f1c38d87a17b0315ae77dc951c047ddd
SHA512

75645a26d52631cafc3a8a640490efb9e6330c1b3f7bb27aedd8ede7b74deddcfff186bdca37856f79d23a1ffcd346b9f705c6b0728b7c66456cb8ac53a61e04
SSDEEP

384:Q2prwOP0bfiYj163/9o2zKTeY7dFt2JP1zG3pnP5:QiryfH56PzQeYRLiPRI5

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
916	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\huifitc = "C:\\Windows\\huifitc.exe"	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\huifitc.dll	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\huifitc.exe	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe
File opened for modification	C:\Windows\huifitc.exe	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
916	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
916	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 1216	916	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe	15
PID 916 wrote to memory of 1216	916	6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe
  "C:\Users\Admin\AppData\Local\Temp\6231612240cad7dd2776fc5e8b7eacdcf70ca421.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\huifitc.dll

Filesize
40KB

MD5
6684af1b213d7d8a8ffa4d0f576995b8

SHA1
a41bfc849b4b6c9e9557b38922f9e57c79eb9e15

SHA256
6d71a22b86c7f89ed3a5daa200b381ab0358c4ddf8f1e5816aa6ddfe03bbd2fb

SHA512
67be11f532934a49be75108cdea765051c19e262d6a4ea2f55f4f7c6894811180843d7cafe1e3f70f65e048e6f2c77707ca7fb51732a3018028227f8fb4acb4e

Download Submit
memory/1216-54-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1216-55-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download