94f068bda39698e454f3cd8905be87d1c761ca55c4a5f7c59f71a55861ed0d9e

Analysis

max time kernel
35s
max time network
50s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HitmanPro_x64.exe
Size

13.6MB
MD5

15e710b146c623f60cfa3e1b516b640e
SHA1

cc00f20fa520b3c5ea3bade44cd77e642a607150
SHA256

94f068bda39698e454f3cd8905be87d1c761ca55c4a5f7c59f71a55861ed0d9e
SHA512

3c5bcccf2a3442713007bd9fc1a78ec16ba80a96a97b47eb765d1a96a90ee3f792a6778a975644ca9a042142a7beff9cf01d97e1a9a68664f395c04eedeccbfc
SSDEEP

393216:CnH1zVtWtFaG25MJFjrTuSne6Jq7N/Sk9:haG2ufjrCqO

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\hitmanpro37.sys	HitmanPro_x64.exe
File opened for modification	C:\Windows\system32\drivers\hitmanpro37.sys	HitmanPro_x64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.228.168.9

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	HitmanPro_x64.exe
File opened (read-only)	\??\F:	HitmanPro_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1696	HitmanPro_x64.exe
1696	HitmanPro_x64.exe
1696	HitmanPro_x64.exe
1696	HitmanPro_x64.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1696	HitmanPro_x64.exe
1696	HitmanPro_x64.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1696	HitmanPro_x64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"
1⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1133ff5e9744c93314d4552ec889f89

SHA1
43567b3f7221c3f2dfbc44c29bce6cfb432ef61d

SHA256
20f5f80162981a2525b9879e4276daf6df70a58f4161c9091a6cc2446041adfb

SHA512
240bead41d02ed3e546f704c43e16ea3fe50942704313c535752854ee7a74adad2f428a5e3fdd6a37bed669776052df7a5dcfebef2085b5c8f10b4fa3cfdc9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD68.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF3F.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\System32\drivers\hitmanpro37.sys

Filesize
41KB

MD5
8fa94c9eb93e210b029213c2bc64ba06

SHA1
47dd85664414af5a1d94691106091b188663cbe1

SHA256
53acf83b04adf5f699be42030260cf44d8060987119e9786dcc9484f05eb868d

SHA512
3230914cf93d3ef6f12bdb9a1b6df0b328793dc5b66aab359c593a724ce0a6a6ab6c525c345c51ed337382e5b6286d53eb017405959aace1c8531704d2364fe6

Download Submit
memory/1696-48-0x0000000002E10000-0x0000000002E27000-memory.dmp

Filesize
92KB

Download