00ed550c56886e2942608cf91f6c3469ecdb983caf20761f38d677214a8d1f74

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15/02/2023, 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HTVR PC Streamer.exe
Size

58.6MB
MD5

ef3555ae632dcf2cb8c85c9d4d0d72ce
SHA1

9a72848aef483042d855102a3ff7fe3e200c2dd6
SHA256

00ed550c56886e2942608cf91f6c3469ecdb983caf20761f38d677214a8d1f74
SHA512

2154a3861d731736c45984f5ca21ae53db93908b86ac2851e8a6f811e9873f700cb479aeee7e0e48ea47925056011af915bc591c378671feb9f7f7b7ca74f6e9
SSDEEP

786432:hsMDBdYLVXOhBTivuv5773qVmEY7fmf8No6HzVtW:RUX6G2R3qVmEY7fmfY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4740	evb97C2.tmp

Loads dropped DLL 4 IoCs

pid	Process
4616	HTVR PC Streamer.exe
4616	HTVR PC Streamer.exe
4616	HTVR PC Streamer.exe
4616	HTVR PC Streamer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4616 set thread context of 4740	4616	HTVR PC Streamer.exe	81

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HTVR PC Streamer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HTVR PC Streamer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HTVR PC Streamer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HTVR PC Streamer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5108	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4616	HTVR PC Streamer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81
PID 4616 wrote to memory of 4740	4616	HTVR PC Streamer.exe	81

C:\Users\Admin\AppData\Local\Temp\HTVR PC Streamer.exe
"C:\Users\Admin\AppData\Local\Temp\HTVR PC Streamer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\evb97C2.tmp
  "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler32.exe" --attach 4616 8065024
  2⤵
  - Executes dropped EXE
  PID:4740

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evb93D9.tmp

Filesize
1KB

MD5
6805cb0d47429d54b7d3ded4d457e017

SHA1
8bec5800a55d168e856c219fba2d390d5c8a30da

SHA256
0c67f5735574253434f50cd658951621d5f9f163d87795123da614198c867baa

SHA512
d343b33daed84f910d111ba3287ac6cd4a0ab99221d5f8aa3983b8f554d3d7243fa55e077a24bf6ceb9bd4f3df71c4303b38527c91bff217493c02f0d1d7f87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb93D9.tmp

Filesize
1KB

MD5
6805cb0d47429d54b7d3ded4d457e017

SHA1
8bec5800a55d168e856c219fba2d390d5c8a30da

SHA256
0c67f5735574253434f50cd658951621d5f9f163d87795123da614198c867baa

SHA512
d343b33daed84f910d111ba3287ac6cd4a0ab99221d5f8aa3983b8f554d3d7243fa55e077a24bf6ceb9bd4f3df71c4303b38527c91bff217493c02f0d1d7f87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb97C2.tmp

Filesize
1KB

MD5
0651a7476e90bc6cd419a2ef5d883291

SHA1
0f44ba8fbd983dc240965171717ade5cbec577dd

SHA256
f4a07e38bc6d92d64483c0b4abc9d5e3f486b09633b26f198e5e2fd66051f1bb

SHA512
c80ec5c96a423fa86bb0fad90052eb691fb15ca4c27f83adf5c4236b9cd14f5bc89ea29ecdba4707ba2a5929cdfca42bff2afa5b3cce40b3595f789fb715299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb97C2.tmp

Filesize
1KB

MD5
0651a7476e90bc6cd419a2ef5d883291

SHA1
0f44ba8fbd983dc240965171717ade5cbec577dd

SHA256
f4a07e38bc6d92d64483c0b4abc9d5e3f486b09633b26f198e5e2fd66051f1bb

SHA512
c80ec5c96a423fa86bb0fad90052eb691fb15ca4c27f83adf5c4236b9cd14f5bc89ea29ecdba4707ba2a5929cdfca42bff2afa5b3cce40b3595f789fb715299b

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9979.tmp

Filesize
1KB

MD5
80289eee99c3deced392645c15e169a4

SHA1
0c130f40aea1e35410d463fa462892fa350bb0f0

SHA256
185320a784d2cdd9f5a653bc0d48f3bb6c0e69a5fd6d8196b5812dc6702358b0

SHA512
720ab088fccedbff7bd1a669b935cffe0530486cfd94e4e81c0d11a1f6dac9c5851da62323eb41047c701848a7e4a0c62b017f4bb0c90a6a911699acd06949e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9979.tmp

Filesize
1KB

MD5
80289eee99c3deced392645c15e169a4

SHA1
0c130f40aea1e35410d463fa462892fa350bb0f0

SHA256
185320a784d2cdd9f5a653bc0d48f3bb6c0e69a5fd6d8196b5812dc6702358b0

SHA512
720ab088fccedbff7bd1a669b935cffe0530486cfd94e4e81c0d11a1f6dac9c5851da62323eb41047c701848a7e4a0c62b017f4bb0c90a6a911699acd06949e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbBEC5.tmp

Filesize
1KB

MD5
e495e999539ff1addb9b040b5678c556

SHA1
684e9da912a100caddb1d7f5c6a0b278ce179b36

SHA256
a292512bade96dc2f7824842b7f234e5b3d272160ec6414608065b1c6de089d6

SHA512
56362d933eb8ef18e45e8cb36f41f0e55f6bc18c87dcaa15af873a51b0c9aaa0fc422488b6b92c1c16300dcc3b5d9c1352c24363285901869c4213cf0f430a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbC260.tmp

Filesize
1KB

MD5
1d6537afef34e87e61e2af6806b1274b

SHA1
b512dafe40258bf90603d2bd93c916a45cda19bd

SHA256
fbafd692840c98d7d2b79920626fba8a2129d69b5ae0e0a3056feffbc504ae96

SHA512
00e46a5b9863b387b95511d85961826f406f7a33b5858c022a38f6cea39796b971e1c150d684c7120c9299f37c37b54853e6fe24ce5888606f6ab25a70ecc96b

Download Submit
memory/4616-585-0x0000000011620000-0x00000000116B2000-memory.dmp

Filesize
584KB

Download
memory/4616-584-0x0000000005570000-0x0000000006014000-memory.dmp

Filesize
10.6MB

Download
memory/4616-164-0x0000000005570000-0x0000000006014000-memory.dmp

Filesize
10.6MB

Download
memory/4616-146-0x0000000005570000-0x0000000006014000-memory.dmp

Filesize
10.6MB

Download
memory/4616-577-0x0000000012F40000-0x0000000012FAB000-memory.dmp

Filesize
428KB

Download
memory/4616-586-0x0000000012F40000-0x0000000012FAB000-memory.dmp

Filesize
428KB

Download
memory/4616-139-0x0000000010000000-0x00000000113CF000-memory.dmp

Filesize
19.8MB

Download
memory/4616-576-0x0000000010000000-0x00000000113CF000-memory.dmp

Filesize
19.8MB

Download
memory/4616-134-0x0000000010000000-0x00000000113CF000-memory.dmp

Filesize
19.8MB

Download
memory/4616-500-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4616-178-0x0000000006120000-0x000000000646C000-memory.dmp

Filesize
3.3MB

Download
memory/4616-132-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/4740-174-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-195-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-168-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-171-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-162-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-176-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-158-0x00000000000A0000-0x00000000000E0000-memory.dmp

Filesize
256KB

Download
memory/4740-179-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-181-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-183-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-185-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-187-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-189-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-191-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-193-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-165-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-199-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-201-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-203-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-205-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-197-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-159-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-155-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-152-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-151-0x000000000046C000-0x0000000000489A00-memory.dmp

Filesize
118KB

Download
memory/4740-147-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4740-583-0x00000000000A0000-0x00000000000E0000-memory.dmp

Filesize
256KB

Download
memory/4740-142-0x0000000000110000-0x0000000000110010-memory.dmp

Filesize
16B

Download
memory/4740-140-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download