db86f8198ad1d0f405d1cb3c02bf0590157a3c045a761d6692993b906d3f20eb

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2375eb5c02ec303a04207fb727178b7f.exe
Size

2.1MB
MD5

2375eb5c02ec303a04207fb727178b7f
SHA1

e7591ae6421ba07e459aa06411b1fd7b8e31aefb
SHA256

db86f8198ad1d0f405d1cb3c02bf0590157a3c045a761d6692993b906d3f20eb
SHA512

749085fc99bde04e409e491cdb45f969548cd348e9c98428722c609fde45dbadcaefa408ef8140de646e444e088e40adf4f2e5ee36ee165837c9511c40ee11ed
SSDEEP

49152:cuW8tUfxtUfLtUfPtUfjaI7iD+bcJBVlApYirWGe+avg:cuL+fx+fL+fP+fH8Vlx1+B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	HyCam2.exe

Loads dropped DLL 4 IoCs

pid	Process
2140	2375eb5c02ec303a04207fb727178b7f.exe
2140	2375eb5c02ec303a04207fb727178b7f.exe
2800	HyCam2.exe
2800	HyCam2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	HyCam2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	HyCam2.exe
2800	HyCam2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28
PID 2140 wrote to memory of 2800	2140	2375eb5c02ec303a04207fb727178b7f.exe	28

C:\Users\Admin\AppData\Local\Temp\2375eb5c02ec303a04207fb727178b7f.exe
"C:\Users\Admin\AppData\Local\Temp\2375eb5c02ec303a04207fb727178b7f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe" -install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe

Filesize
413KB

MD5
63f328f7327f03542ebb6caaf552a0ef

SHA1
26d6e1e94c565b665c1a56988d39e289596a0f74

SHA256
bda1691e6f622eb21b2cd74e837900621ae7739b0c3c5d67c679998380647aa8

SHA512
eb7bdcffa6baba9c30f9b1d988178c1767fe3aeddcbbe69dae913d016e5b2b1f19650db697414189f1a768f3d76df745153fefac79446249c3cd3761dedb429c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe

Filesize
924KB

MD5
8c9aec181db5e0b0803093fba6b2a4c2

SHA1
fc9dc6331125251bc9eb96d89d0ada667111da3a

SHA256
1c5ab9e9df78a6882dfb475570c40ce043462cf71f369e35550bc514205fd76c

SHA512
da58a8c2cecf76faa2de702d97f184bfbd837d35b501a9d21260ffbd499c442c02fb1415b2f6bf8765e125fcb06778a09dae13c92a9511bfd00a465bffff429e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe

Filesize
412KB

MD5
16463d7e5690cf7a65d371f3f38ab80d

SHA1
3f808883eebf41dc23202e08fa382e1f51f7ad66

SHA256
a2873abe495eee3aebc3c124e243b6114628d2fb99f6bb675726df07d5e4ff81

SHA512
08d19b24f78e10d3e180290fa9d840fefe9c3249f19bfd7a287fa116e63602e7b5e80d3ab88c9addf1352150e7a82a12c8f853111763c1135989d79045acbedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agreement.txt

Filesize
3KB

MD5
3a696e0ead7c02db271b77e2d93f41df

SHA1
9bd7244bc4380613aaa4b348901ddeb47ebd1ec3

SHA256
6ca4aa606732782a11e61a2ad62cb5250629b8cab96c14b964d7725a6c8ec5be

SHA512
0a764db8e05d5cc8de955de5e6b34dded4b408638f22a836e2a486effae960bb5f3e2de469d7024076d83d76eff185939cbe4305c55997934e937882b4a7ee03

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\CamRes2.dll

Filesize
116KB

MD5
12817efa5ff4d1f3205e3a45827a498a

SHA1
457b3005aa2dc3dc34d5c3015df6df26060bf9ab

SHA256
0784c4db000fcf1304e0ff45d935bf2d55ceba2ec7f94b05c4520d68da74a210

SHA512
23cf0992229ab187726a06598bdba8e4f4dc25be1558238304984ff831ea05005b792535198c2fdf5ab4d3463122c005e20f2315c7b52315e48ee2fec1e962e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe

Filesize
415KB

MD5
b618cd52160c255089e79c80685b0ec2

SHA1
4fd4eac75b8a58fe827dcaa7649bcbe0e34cee65

SHA256
774405b9dd6fd25d4f1a3056169548a5a3575fb69bd4632b5f9ff49dae437a65

SHA512
f20e85f211c232b17e857807008e4800cc4767d64faf57aa81c6d92988ab898f1e36c775f8eaabc89cea9615f21e59b7bce473d519fa8f7552d51239231c0ff7

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\MClick2.dll

Filesize
56KB

MD5
75674242cd862c0143526ddbb023cd64

SHA1
1c543932b2fdc19940674d93d9954b2f3aa0fe02

SHA256
49c121f93da902e9f38d3ea55d5fafd2cf6b9837e68d59dbe09a7d5c8272169c

SHA512
9b7f7006c7c1841b7c07e7ffed621296c70d7691efd4fb586b0bc4c072cd7e33f7229fbd925b42b266a757a24424ef6fe2ef2a6dc95e22e22230e3ddbada8537

Download Submit
memory/2800-71-0x0000000000610000-0x000000000062E000-memory.dmp

Filesize
120KB

Download