Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2023 01:47
Static task
static1
Behavioral task
behavioral1
Sample
HWMonitor.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
HWMonitor.exe
Resource
win10v2004-20231130-en
General
-
Target
HWMonitor.exe
-
Size
6.4MB
-
MD5
19a05a559b0c478f3049cd414300a340
-
SHA1
fadbbb63e948b5b3bbbaeedc77e69472143a3b86
-
SHA256
000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
-
SHA512
1f9b320048958fb5b81b8dc6f8ab402d795175dda3476f7cc7251642383345538320eaa4d24de7d0f7e2d2d59073cbc9a250226ee06bc0f0dfab8bb5673aaa84
-
SSDEEP
49152:GkzIAFeiibxQU6vdYqTzEuZf6Q9iBUqL5cQf3S9+uCQHSvT9A+aoNDqcKqQx759B:Nnu7S/QN+on
Malware Config
Signatures
-
GLES Rule: track HazyLoad proxy tool in memory. 2 IoCs
detect proxy-related strings loaded in memory by HazyLoad loader.
Processes:
resource yara_rule behavioral2/memory/4212-0-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp APT_NK_TA430_HazyLoad_Mem behavioral2/memory/4212-1-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp APT_NK_TA430_HazyLoad_Mem -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HWMonitor.exepid process 4212 HWMonitor.exe 4212 HWMonitor.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 3024 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HWMonitor.exepid process 4212 HWMonitor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HWMonitor.exe"C:\Users\Admin\AppData\Local\Temp\HWMonitor.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4212
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3388
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD56f45f762f992768246dd71e51f3dbc85
SHA16414b2d16186f463a58381a6a63b681cc607ec2c
SHA25649bfd2f15dd15fab720004cef616cc711c5bb0981620a6b90da5bd5062d297a3
SHA51229e317827bf2559b064dde6e4fe8a024b3e4946f13a90759c6c8c45deecc830cd3a1b9e647b94a6b6617dfdf2e88c35d1a7142c092f4f71ead0db300369dd8a3