9807832958fab1632edcdafe1f547d72a4075c152a581c344b8270164922561b

General

Target

HopToDesk.exe
Size

6.9MB
MD5

7c365b5e8f7b0cb14db7fc09f785f9fb
SHA1

fd5ecdae661a88754170962b5f184a867081e567
SHA256

9807832958fab1632edcdafe1f547d72a4075c152a581c344b8270164922561b
SHA512

433fc1b3858475b2ec1f0fea1708f00eefb4dcbc0a80c3b8a71fcb5a5e75a2297a64c31e61f8a535a0064301824339a279756d1f5d801fbe2ddf8f958e817e48
SSDEEP

196608:5QQOaJYIz6Dm44SccjD6Ys2zsUsaPjGxG+Po8ou:5QQlYS6Og6Ys2oUHPKA+Po8z

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1496	netsh.exe
2504	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4832-133-0x00000000007C0000-0x0000000001924000-memory.dmp	upx
behavioral2/memory/436-135-0x00000000007C0000-0x0000000001924000-memory.dmp	upx
behavioral2/memory/436-136-0x00000000007C0000-0x0000000001924000-memory.dmp	upx
behavioral2/memory/4832-164-0x00000000007C0000-0x0000000001924000-memory.dmp	upx
behavioral2/memory/4832-165-0x00000000007C0000-0x0000000001924000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
4832	HopToDesk.exe
4832	HopToDesk.exe
4832	HopToDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\URL Protocol	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\shell	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\shell\open	HopToDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\URL Protocol	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk	HopToDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\ = "URL:hoptodesk Protocol"	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\shell\open\command	HopToDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HopToDesk.exe\" \"--connect\" \"%1\""	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\hoptodesk	HopToDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\ = "URL:hoptodesk Protocol"	HopToDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\hoptodesk\shell\open\command	HopToDesk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\HopToDesk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HopToDesk.exe\" \"--connect\" \"%1\""	HopToDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4832	HopToDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4832	HopToDesk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4832	HopToDesk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4832	HopToDesk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1496	4832	HopToDesk.exe	80
PID 4832 wrote to memory of 1496	4832	HopToDesk.exe	80
PID 4832 wrote to memory of 1496	4832	HopToDesk.exe	80
PID 4832 wrote to memory of 436	4832	HopToDesk.exe	83
PID 4832 wrote to memory of 436	4832	HopToDesk.exe	83
PID 4832 wrote to memory of 436	4832	HopToDesk.exe	83
PID 436 wrote to memory of 2504	436	HopToDesk.exe	84
PID 436 wrote to memory of 2504	436	HopToDesk.exe	84
PID 436 wrote to memory of 2504	436	HopToDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\HopToDesk.exe
"C:\Users\Admin\AppData\Local\Temp\HopToDesk.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall show rule name= HopToDesk verbose
  2⤵
  - Modifies Windows Firewall
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\HopToDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\HopToDesk.exe" --fw
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="HopToDesk" dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\HopToDesk.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sciter.dll

Filesize
5.8MB

MD5
fc2311ca280c197f5ed16def6d464b6b

SHA1
0c0957c2db583a080010e63da9184a9ea1184b76

SHA256
285f3e6a051a7c61845cd7e4d2120781b6bdf411239f70a85c65b38a52d38f28

SHA512
8400ec74282f16caafcbcecf46cb289829ecaeeee400a5114c13751e83fb1bb660bb64a6961b612489bc764a711c40dcdecc4f835ce0dc4f1d602f2d67f75719

Download Submit
C:\Users\Admin\AppData\Local\Temp\sciter.dll

Filesize
5.8MB

MD5
fc2311ca280c197f5ed16def6d464b6b

SHA1
0c0957c2db583a080010e63da9184a9ea1184b76

SHA256
285f3e6a051a7c61845cd7e4d2120781b6bdf411239f70a85c65b38a52d38f28

SHA512
8400ec74282f16caafcbcecf46cb289829ecaeeee400a5114c13751e83fb1bb660bb64a6961b612489bc764a711c40dcdecc4f835ce0dc4f1d602f2d67f75719

Download Submit
C:\Users\Admin\AppData\Local\Temp\sciter.dll

Filesize
5.8MB

MD5
fc2311ca280c197f5ed16def6d464b6b

SHA1
0c0957c2db583a080010e63da9184a9ea1184b76

SHA256
285f3e6a051a7c61845cd7e4d2120781b6bdf411239f70a85c65b38a52d38f28

SHA512
8400ec74282f16caafcbcecf46cb289829ecaeeee400a5114c13751e83fb1bb660bb64a6961b612489bc764a711c40dcdecc4f835ce0dc4f1d602f2d67f75719

Download Submit
C:\Users\Admin\AppData\Local\Temp\sciter.dll

Filesize
5.8MB

MD5
fc2311ca280c197f5ed16def6d464b6b

SHA1
0c0957c2db583a080010e63da9184a9ea1184b76

SHA256
285f3e6a051a7c61845cd7e4d2120781b6bdf411239f70a85c65b38a52d38f28

SHA512
8400ec74282f16caafcbcecf46cb289829ecaeeee400a5114c13751e83fb1bb660bb64a6961b612489bc764a711c40dcdecc4f835ce0dc4f1d602f2d67f75719

Download Submit
memory/436-135-0x00000000007C0000-0x0000000001924000-memory.dmp

Filesize
17.4MB

Download
memory/436-136-0x00000000007C0000-0x0000000001924000-memory.dmp

Filesize
17.4MB

Download
memory/4832-133-0x00000000007C0000-0x0000000001924000-memory.dmp

Filesize
17.4MB

Download
memory/4832-164-0x00000000007C0000-0x0000000001924000-memory.dmp

Filesize
17.4MB

Download
memory/4832-165-0x00000000007C0000-0x0000000001924000-memory.dmp

Filesize
17.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads