000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2023 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HWMonitor.exe
Size

6.4MB
MD5

19a05a559b0c478f3049cd414300a340
SHA1

fadbbb63e948b5b3bbbaeedc77e69472143a3b86
SHA256

000752074544950ae9020a35ccd77de277f1cd5026b4b9559279dc3b86965eee
SHA512

1f9b320048958fb5b81b8dc6f8ab402d795175dda3476f7cc7251642383345538320eaa4d24de7d0f7e2d2d59073cbc9a250226ee06bc0f0dfab8bb5673aaa84
SSDEEP

49152:GkzIAFeiibxQU6vdYqTzEuZf6Q9iBUqL5cQf3S9+uCQHSvT9A+aoNDqcKqQx759B:Nnu7S/QN+on

Score

6^/10

Malware Config

Signatures

GLES Rule: track HazyLoad proxy tool in memory. 2 IoCs

detect proxy-related strings loaded in memory by HazyLoad loader.

Processes:

resource	yara_rule
behavioral2/memory/4212-0-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp	APT_NK_TA430_HazyLoad_Mem
behavioral2/memory/4212-1-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp	APT_NK_TA430_HazyLoad_Mem

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HWMonitor.exe

pid process

4212 HWMonitor.exe
4212 HWMonitor.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 3024 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

HWMonitor.exe

pid process

4212 HWMonitor.exe

pid	process
4212	HWMonitor.exe
4212	HWMonitor.exe

description	pid	process
Token: SeManageVolumePrivilege	3024	svchost.exe

pid	process
4212	HWMonitor.exe

C:\Users\Admin\AppData\Local\Temp\HWMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\HWMonitor.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
6f45f762f992768246dd71e51f3dbc85

SHA1
6414b2d16186f463a58381a6a63b681cc607ec2c

SHA256
49bfd2f15dd15fab720004cef616cc711c5bb0981620a6b90da5bd5062d297a3

SHA512
29e317827bf2559b064dde6e4fe8a024b3e4946f13a90759c6c8c45deecc830cd3a1b9e647b94a6b6617dfdf2e88c35d1a7142c092f4f71ead0db300369dd8a3

Download Submit
memory/3024-42-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-68-0x000001EC0C010000-0x000001EC0C011000-memory.dmp

Filesize
4KB

Download
memory/3024-18-0x000001EC03C90000-0x000001EC03CA0000-memory.dmp

Filesize
64KB

Download
memory/3024-34-0x000001EC0C280000-0x000001EC0C281000-memory.dmp

Filesize
4KB

Download
memory/3024-35-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-36-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-37-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-38-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-39-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-40-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-70-0x000001EC0C120000-0x000001EC0C121000-memory.dmp

Filesize
4KB

Download
memory/3024-2-0x000001EC03B90000-0x000001EC03BA0000-memory.dmp

Filesize
64KB

Download
memory/3024-45-0x000001EC0BED0000-0x000001EC0BED1000-memory.dmp

Filesize
4KB

Download
memory/3024-44-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-43-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-46-0x000001EC0BEC0000-0x000001EC0BEC1000-memory.dmp

Filesize
4KB

Download
memory/3024-48-0x000001EC0BED0000-0x000001EC0BED1000-memory.dmp

Filesize
4KB

Download
memory/3024-51-0x000001EC0BEC0000-0x000001EC0BEC1000-memory.dmp

Filesize
4KB

Download
memory/3024-54-0x000001EC0BE00000-0x000001EC0BE01000-memory.dmp

Filesize
4KB

Download
memory/3024-41-0x000001EC0C2B0000-0x000001EC0C2B1000-memory.dmp

Filesize
4KB

Download
memory/3024-66-0x000001EC0C000000-0x000001EC0C001000-memory.dmp

Filesize
4KB

Download
memory/3024-69-0x000001EC0C010000-0x000001EC0C011000-memory.dmp

Filesize
4KB

Download
memory/4212-0-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp

Filesize
156KB

Download
memory/4212-1-0x0000015B5DE90000-0x0000015B5DEB7000-memory.dmp

Filesize
156KB

Download