276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4

General

Target

httrack_x64-3.49.2.exe
Size

6.5MB
MD5

599394f1470eef8c7a63e84a7de25e49
SHA1

03ac7f400a2f3546f4b0397f476e1823187c12b6
SHA256

276198e30803db7e1c567868cb302237b8a95b16fa2fb4e1ab607d880cf73ef4
SHA512

057e19e02c6a511f9c9cb5eb86e066166f50290cd5b6dea8da67026f9f4d441c1963e79973a73f391e5fe5db802ff3777d09d76add88209fb500a83441d7cec6
SSDEEP

98304:v0SqgwDyM8QYn+uL0yqSvXVQv9VKOerelNw7G7ToHRDzYqls6qp1a9b:v0Xgk98QYHLmiVgVKONKsExvls6oa

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1116 created 1232	1116	httrack_x64-3.49.2.exe	3

Executes dropped EXE 1 IoCs

pid	Process
2232	SFJsWRj.exe

Loads dropped DLL 5 IoCs

pid	Process
1116	httrack_x64-3.49.2.exe
1116	httrack_x64-3.49.2.exe
2232	SFJsWRj.exe
2232	SFJsWRj.exe
2232	SFJsWRj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 2500	1116	httrack_x64-3.49.2.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2232	1116	httrack_x64-3.49.2.exe	30
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31
PID 1116 wrote to memory of 2500	1116	httrack_x64-3.49.2.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\httrack_x64-3.49.2.exe
  "C:\Users\Admin\AppData\Local\Temp\httrack_x64-3.49.2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\SFJsWRj.exe
    "C:\Users\Admin\AppData\Local\Temp\SFJsWRj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2232
- C:\Users\Admin\AppData\Local\Temp\httrack_x64-3.49.2.exe
  "C:\Users\Admin\AppData\Local\Temp\httrack_x64-3.49.2.exe"
  2⤵
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
C:\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
\Users\Admin\AppData\Local\Temp\SFJsWRj.exe

Filesize
183KB

MD5
8eb83d03ac895bfc02605ffcf4638e48

SHA1
4652248cf75128893ae1e885d0ec0217fc25a5b4

SHA256
34dd266b2ec7f77dae04bdcd14e82b0cf977e0c6cc689a1c8a49737bb18a86be

SHA512
dbe9787c7f218826397ce53de01de33d3d3979aebed4030b6ec6af59d48c56362f9c8726af61655456c303444011619e0d88e50a630210020ad9c8db6c253081

Download Submit
memory/1116-1-0x00000000055D0000-0x0000000005A2A000-memory.dmp

Filesize
4.4MB

Download
memory/1116-0-0x00000000008B0000-0x0000000000F3A000-memory.dmp

Filesize
6.5MB

Download
memory/2232-37-0x0000000070810000-0x0000000070DBB000-memory.dmp

Filesize
5.7MB

Download
memory/2500-16-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-30-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2500-18-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing