fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89

General

Target

fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe
Size

4.4MB
MD5

36a57c9d51a36357541d1b6fab2f26a6
SHA1

9ec285745cebcdac9056534564bedfff26ed0733
SHA256

fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89
SHA512

28c0459144a26ddede9d464e21beac292b23b28cb418f2df5af03689493a4af4c639f724383c7c3184c6f6c527c082255ff677173f2821e9176aef90709053fc
SSDEEP

98304:A/U4y5jK8UBr6kRsNe0kysLUQV0DCw/1pWEFLb6dsbGqoA+x:AcZKtB2JeXysR0GPiL2dWwx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2704	MHcore.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2412-2-0x0000000000400000-0x0000000000CE3000-memory.dmp	vmprotect
behavioral1/memory/2412-7-0x0000000000400000-0x0000000000CE3000-memory.dmp	vmprotect
behavioral1/memory/2412-57-0x0000000000400000-0x0000000000CE3000-memory.dmp	vmprotect
behavioral1/memory/2412-58-0x0000000000400000-0x0000000000CE3000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\MR = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MHcore.exe"	MHcore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe
2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe
2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2704	2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe	28
PID 2412 wrote to memory of 2704	2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe	28
PID 2412 wrote to memory of 2704	2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe	28
PID 2412 wrote to memory of 2704	2412	fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe	28

C:\Users\Admin\AppData\Local\Temp\fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe
"C:\Users\Admin\AppData\Local\Temp\fcc8eee6d906d93800a9ab2b53d09cc87d84ff08f5da4a3231319014cc4d9d89.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\MHcore.exe
  "C:\Users\Admin\AppData\Local\Temp\\MHcore.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MHcore.exe

Filesize
2.4MB

MD5
b9e0cd1d598f21870f9cab29eb543d2a

SHA1
d6023b774fff8241c6be683c243ff06acda89be1

SHA256
bdbdcec294e99e74040708046b2b7768722bf982e99fafe4c184e1784a0e564c

SHA512
aa0ec1ff57138e77f5cf3b884d17d346ae1334749aefa589739aa17b7b77c29640bdba5fcf77251fed3555aaeea2d0e55f2b729b9b8df2bbb30f8bf54b531747

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\MHcore.exe

Filesize
2.4MB

MD5
b9e0cd1d598f21870f9cab29eb543d2a

SHA1
d6023b774fff8241c6be683c243ff06acda89be1

SHA256
bdbdcec294e99e74040708046b2b7768722bf982e99fafe4c184e1784a0e564c

SHA512
aa0ec1ff57138e77f5cf3b884d17d346ae1334749aefa589739aa17b7b77c29640bdba5fcf77251fed3555aaeea2d0e55f2b729b9b8df2bbb30f8bf54b531747

Download Submit
\Users\Admin\AppData\Local\Temp\MHcore.exe

Filesize
2.4MB

MD5
b9e0cd1d598f21870f9cab29eb543d2a

SHA1
d6023b774fff8241c6be683c243ff06acda89be1

SHA256
bdbdcec294e99e74040708046b2b7768722bf982e99fafe4c184e1784a0e564c

SHA512
aa0ec1ff57138e77f5cf3b884d17d346ae1334749aefa589739aa17b7b77c29640bdba5fcf77251fed3555aaeea2d0e55f2b729b9b8df2bbb30f8bf54b531747

Download Submit
memory/2412-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2412-44-0x0000000002690000-0x0000000002732000-memory.dmp

Filesize
648KB

Download
memory/2412-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2412-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2412-59-0x0000000002690000-0x0000000002732000-memory.dmp

Filesize
648KB

Download
memory/2412-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2412-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2412-26-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2412-31-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2412-29-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2412-24-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2412-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2412-34-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2412-32-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2412-37-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

Filesize
4KB

Download
memory/2412-36-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2412-7-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/2412-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2412-2-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/2412-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2412-58-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/2412-57-0x0000000000400000-0x0000000000CE3000-memory.dmp

Filesize
8.9MB

Download
memory/2412-3-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2704-78-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-50-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-47-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

Filesize
4KB

Download
memory/2704-45-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2704-60-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2704-63-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2704-61-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2704-52-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-64-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-65-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2704-66-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-62-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download
memory/2704-82-0x0000000010000000-0x0000000010201000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads