c0dfa51657d72d26ab58594bca7fd35e6e41e57085436974efd4ffd25e4445b8

Resubmissions

31/10/2023, 07:12

231031-h1xr9shb9w 6

31/10/2023, 07:09

231031-hy68xsbc69 6

31/10/2023, 07:01

231031-htdqtabc49 6

Analysis

max time kernel
140s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HideUL/HideUL.exe
Size

779KB
MD5

59e6919b61bcef4225d571e10fb13ef2
SHA1

c864cb1e389c51bdea6cecfed47162e6a03f1e22
SHA256

65ceb24e66bdac7453863bf268316bf6b6b17070ae1100713027c0be398e61f6
SHA512

c904007bd0989c6be41ce1afbbf05fa72d4f81a8b5a4e81e0fda11030e772d6a33c21fad0fe4e1faf97ec0611427a8c7aa6366d5920714e835ba80444f76d89c
SSDEEP

12288:daWzgMg7v3qnCiMErQohh0F4TCJ8lnyJQY4ZNGdiXJpp05iwQK:8aHMv6C4rjXnyJQRZYiA5kK

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico	HideUL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	HideUL.exe
2756	HideUL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2756	HideUL.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2304	2756	HideUL.exe	30
PID 2756 wrote to memory of 2304	2756	HideUL.exe	30
PID 2756 wrote to memory of 2304	2756	HideUL.exe	30
PID 2756 wrote to memory of 2304	2756	HideUL.exe	30
PID 2304 wrote to memory of 2652	2304	control.exe	31
PID 2304 wrote to memory of 2652	2304	control.exe	31
PID 2304 wrote to memory of 2652	2304	control.exe	31

C:\Users\Admin\AppData\Local\Temp\HideUL\HideUL.exe
"C:\Users\Admin\AppData\Local\Temp\HideUL\HideUL.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\control.exe
  "C:\Windows\System32\control.exe" "C:\Windows\System32\appwiz.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\appwiz.cpl",
    3⤵
    PID:2652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HideUL\HideUL.ini

Filesize
28KB

MD5
70a54d5f1f61363a1f8e5792a0a44a88

SHA1
521a3726615c999320be87dd131857675601b9d2

SHA256
2181e8b4dea4bfcd2094601d45e71fe7c8789b66363c8740172ef9aef39b9a2a

SHA512
0284c61b40d7bcc1f4b8a7a7be4d8ac43f389d11f8945d37293502254e85623f613662102ff20f82a66847514fa484746fca3edb72ab4fd004c4250515b1f3f4

Download Submit
memory/2756-7-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download