b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GHK-0987654567890.exe
Size

770KB
MD5

67402da400ada59436a91b26a1bdf358
SHA1

662ebf818c49a600d122fe367b24e4d2998259e9
SHA256

b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760
SHA512

914ca1058d7f4352cdc417846b666726b79e08b2c22f5085ffff07b87f82f2a918e944374e938c71215d8533132d1376a2a2181f5e6bbf41a7e8641b0af1e125
SSDEEP

24576:RfL0hKAOj09taoR5KYEL78IVU/i9MWLT1NIQJH6Yz:dw9IhL/8z3kxJH6Yz

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	physpnmmi.exe
1936	physpnmmi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pyyueaajss = "C:\\Users\\Admin\\AppData\\Roaming\\ktddyirr\\nwwrbbkgg.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\physpnmmi.exe\" "	physpnmmi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 1936	2460	physpnmmi.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2460	physpnmmi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	physpnmmi.exe
1936	physpnmmi.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2460	4936	GHK-0987654567890.exe	85
PID 4936 wrote to memory of 2460	4936	GHK-0987654567890.exe	85
PID 4936 wrote to memory of 2460	4936	GHK-0987654567890.exe	85
PID 2460 wrote to memory of 1936	2460	physpnmmi.exe	86
PID 2460 wrote to memory of 1936	2460	physpnmmi.exe	86
PID 2460 wrote to memory of 1936	2460	physpnmmi.exe	86
PID 2460 wrote to memory of 1936	2460	physpnmmi.exe	86

C:\Users\Admin\AppData\Local\Temp\GHK-0987654567890.exe
"C:\Users\Admin\AppData\Local\Temp\GHK-0987654567890.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe
  "C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe
    "C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe

Filesize
190KB

MD5
e9c6874fe8ce70b99479cb4bef16581f

SHA1
da08bd5c828ede24db0f20dac0b55755feb92f5e

SHA256
1fcf146e0ef1725c0e2967ec02d096bb46d39b55b3403508468430f247d93209

SHA512
9c59ab24985aceb371cf0873266d0d07774489a39382c55f44635dcd7306229513c0d9781ee321683d893ad4e731136ff998c88c644151a2a97c1665ea3c255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe

Filesize
190KB

MD5
e9c6874fe8ce70b99479cb4bef16581f

SHA1
da08bd5c828ede24db0f20dac0b55755feb92f5e

SHA256
1fcf146e0ef1725c0e2967ec02d096bb46d39b55b3403508468430f247d93209

SHA512
9c59ab24985aceb371cf0873266d0d07774489a39382c55f44635dcd7306229513c0d9781ee321683d893ad4e731136ff998c88c644151a2a97c1665ea3c255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\physpnmmi.exe

Filesize
190KB

MD5
e9c6874fe8ce70b99479cb4bef16581f

SHA1
da08bd5c828ede24db0f20dac0b55755feb92f5e

SHA256
1fcf146e0ef1725c0e2967ec02d096bb46d39b55b3403508468430f247d93209

SHA512
9c59ab24985aceb371cf0873266d0d07774489a39382c55f44635dcd7306229513c0d9781ee321683d893ad4e731136ff998c88c644151a2a97c1665ea3c255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wavabqd.xo

Filesize
778KB

MD5
7bf686ecb7232f8e2ffb853c10fab48e

SHA1
ce40410bc4f4a9c9ec86561414b2136be58f964e

SHA256
ce4820f34af655d5bc2656c3aa9c44d1e71af4f73ebd1222e5043a812923a6ef

SHA512
335e72e428ea94a79208364e3a0196245b4f0fea0d6ecea78186a4f812b91aca4ad7cb22d0a944cd276729fab2ef017e24076d14b10f175fbbdac8837a8105d7

Download Submit
memory/1936-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-5-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads