e780c2aabd73f7665c7a65183fadc20dd064029a86d1724ad70678fbc4e3f00b

Analysis

max time kernel
146s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03974fe95ad4ac67adb778a1dc5ba151.exe
Size

619KB
MD5

03974fe95ad4ac67adb778a1dc5ba151
SHA1

81107650f9cdabe5e95f3c11825f4858cb5818be
SHA256

e780c2aabd73f7665c7a65183fadc20dd064029a86d1724ad70678fbc4e3f00b
SHA512

7902bcc3631bdb933a0fcb5d34e52eb677b13dfcecd6f85466b451f9f97a746946c09de351e0418684b080e4094b6a71a5b82ed46b9a5cb5fcb93744515d2cf1
SSDEEP

12288:37/3xWkmMrARHchNvvw5lRfFLUkblMK9BKlIz7y:3gkARYvw/Rf91Cs+Iz7y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
636	hysetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
636	hysetup.exe
636	hysetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 636	3480	03974fe95ad4ac67adb778a1dc5ba151.exe	92
PID 3480 wrote to memory of 636	3480	03974fe95ad4ac67adb778a1dc5ba151.exe	92
PID 3480 wrote to memory of 636	3480	03974fe95ad4ac67adb778a1dc5ba151.exe	92

C:\Users\Admin\AppData\Local\Temp\03974fe95ad4ac67adb778a1dc5ba151.exe
"C:\Users\Admin\AppData\Local\Temp\03974fe95ad4ac67adb778a1dc5ba151.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\hysetup.exe
  "C:\Users\Admin\AppData\Local\Temp\hysetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
7KB

MD5
2414b0b43387e28dba8cbd0964b1617c

SHA1
8dbd9997015a782101167e4c460ea0f3bf5568e1

SHA256
f0a0df5fdd76c46560371790798ccc1ec0425faad3a7db49e9d2ab51a629ea3b

SHA512
a4f058fa125708199cf11f5a961896b67e9c3df038bd57de27e99c03d257f294bcb4b1229487827fa97feda5e44c830ec35e82e5a569f3fbb63a8a3584dc2383

Download Submit
C:\Users\Admin\AppData\Local\Temp\hysetup.exe

Filesize
708KB

MD5
9433d5ac20edcf7d39c454fe2f67b43d

SHA1
b46be8abecd975d942bf28987bbda8686f079838

SHA256
3687a458ea72df00e771a62c3eff33849631c662f62c9bb4fa3c735cc2b51b39

SHA512
50fdfb6d8a5305970b65c772de6b1fe1f4791ea379821853579c99e72dc9c3e36d6e9129451ade3084616996abac84137a4446f9747c195695c5d49fd5073ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
3KB

MD5
e568b9292a73a0bf2d66960451fef206

SHA1
0c2677c154002014a45898d1109c5b81709c5362

SHA256
49e542ef8b08578e9a77c8bddab8095944f63451dd5d98f2e01e465fcd6cadc5

SHA512
fc83f61b1b4c9eed33d42ee4fcbb47ad24ca0b1ad929d6f535b9916b2045aa31f5042cb0570788c249c0c4e928bf2187f9c289d03ff14e0b34f1d5f7b7c8cdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
105B

MD5
9e30037abd66a36602e1ee9037a744df

SHA1
c6574f27d929470625963de2c77e91addca69c6a

SHA256
df4dceca76e234a884ca96c80403df2f5970ce6c2068067046df405ff01d5b51

SHA512
9f6de3f26641168bd21f2abc8c18b68c96935dbe07cb944671687b6686a88be36e293a5dc8de54c50a65e278a1fb44ba7d93a0e9e8be9c3137a8858339253a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
8bd36358610b8d3c6f542ec5fef70727

SHA1
a11adad6b3888809f59d90a1d72f56c81f6dd0ae

SHA256
17c9854ab4b0bb7b2d5b737e721263d5d3169ffecdd5850c68124cd6da353456

SHA512
37e7c6b94ef4672d2700b365f3c68e19a4fff680b3dedc4b5e1923822605f6ab01d1b96bef5b724d5dfefd71da0d1db5d860859be658b6cacc1dccff566398ae

Download Submit