dd255d9cbceced70a7fe5ae66133de9c3333c72de6e3d8a4d3f88a8a8108370d

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 09:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

hiuhehufw.exe
Size

28KB
MD5

68e3359674ee7d49550b09e7ff69dcce
SHA1

bcb5d12fa5433ef5e4b78a4125eb77357e285908
SHA256

dd255d9cbceced70a7fe5ae66133de9c3333c72de6e3d8a4d3f88a8a8108370d
SHA512

0e3d050a82dcdbd8f4688be67dad2ab9a2e054705ba6d176e381a0d1851202e1e75b7057e88099fb66d9475b20ebe0f5469ad058ddbe94c3eb29aa4100cc0098
SSDEEP

768:f05Vx5qa/mytcR8D6Geg4bkTMyDFvxTJDsTX+GP:fgV2aHciTegKUFvJJDsr+K

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2756	schtasks.exe
1496	schtasks.exe
1968	schtasks.exe
2420	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	hiuhehufw.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2896	1900	hiuhehufw.exe	28
PID 1900 wrote to memory of 2896	1900	hiuhehufw.exe	28
PID 1900 wrote to memory of 2896	1900	hiuhehufw.exe	28
PID 2896 wrote to memory of 2420	2896	cmd.exe	30
PID 2896 wrote to memory of 2420	2896	cmd.exe	30
PID 2896 wrote to memory of 2420	2896	cmd.exe	30
PID 2456 wrote to memory of 3000	2456	taskeng.exe	33
PID 2456 wrote to memory of 3000	2456	taskeng.exe	33
PID 2456 wrote to memory of 3000	2456	taskeng.exe	33
PID 3000 wrote to memory of 2156	3000	hiuhehufw.exe	34
PID 3000 wrote to memory of 2156	3000	hiuhehufw.exe	34
PID 3000 wrote to memory of 2156	3000	hiuhehufw.exe	34
PID 2156 wrote to memory of 2756	2156	cmd.exe	36
PID 2156 wrote to memory of 2756	2156	cmd.exe	36
PID 2156 wrote to memory of 2756	2156	cmd.exe	36
PID 2456 wrote to memory of 1464	2456	taskeng.exe	39
PID 2456 wrote to memory of 1464	2456	taskeng.exe	39
PID 2456 wrote to memory of 1464	2456	taskeng.exe	39
PID 1464 wrote to memory of 2692	1464	hiuhehufw.exe	40
PID 1464 wrote to memory of 2692	1464	hiuhehufw.exe	40
PID 1464 wrote to memory of 2692	1464	hiuhehufw.exe	40
PID 2692 wrote to memory of 1496	2692	cmd.exe	42
PID 2692 wrote to memory of 1496	2692	cmd.exe	42
PID 2692 wrote to memory of 1496	2692	cmd.exe	42
PID 2456 wrote to memory of 2884	2456	taskeng.exe	43
PID 2456 wrote to memory of 2884	2456	taskeng.exe	43
PID 2456 wrote to memory of 2884	2456	taskeng.exe	43
PID 2884 wrote to memory of 756	2884	hiuhehufw.exe	44
PID 2884 wrote to memory of 756	2884	hiuhehufw.exe	44
PID 2884 wrote to memory of 756	2884	hiuhehufw.exe	44
PID 756 wrote to memory of 1968	756	cmd.exe	46
PID 756 wrote to memory of 1968	756	cmd.exe	46
PID 756 wrote to memory of 1968	756	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
"C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2420

C:\Windows\system32\taskeng.exe
taskeng.exe {41C2F067-1E70-4760-ADD6-9DF8544B8F6E} S-1-5-21-1024678951-1535676557-2778719785-1000:KDGGTDCU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:2756
- C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:1496
- C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-61-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/1464-62-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-54-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/1900-55-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-56-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/1900-57-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/1900-58-0x000000001B260000-0x000000001B2E0000-memory.dmp

Filesize
512KB

Download
memory/2884-63-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2884-64-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/3000-59-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/3000-60-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads