94c935fd24fd29016877ef25d33f5afb8253706842a33cc5b482bb3bc4fb928f

Analysis

max time kernel
131s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f224c203013b0d3afbcd92267475d57.exe
Size

43KB
MD5

0f224c203013b0d3afbcd92267475d57
SHA1

65cdbc2f24de2130ebb5f469f9ffa547a0950b3e
SHA256

94c935fd24fd29016877ef25d33f5afb8253706842a33cc5b482bb3bc4fb928f
SHA512

141099f1c08f4b1f39a5958b1e372c2cbabd40e616c168dce5b03bd0b80289c9814cc8699f36be8907ade58aeb42efccddea81bb4b088ea18d336f66fcc8aa5f
SSDEEP

768:9C0x8GeEZ3xx/ShJ3Qt9Uh7Had9zFGqdg4HT63XZ9tTGCWgo2XRy8:9C0a0xSJE9Uherpdg0Twbv73By8

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\husjdd8s\ImagePath = "C:\\Windows\\system32\\husjdd8s.exe -j"	0f224c203013b0d3afbcd92267475d57.exe

Executes dropped EXE 1 IoCs

pid	Process
1812	husjdd8s.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\osiesd3.dll	husjdd8s.exe
File created	C:\Windows\SysWOW64\husjdd8s.exe	0f224c203013b0d3afbcd92267475d57.exe
File opened for modification	C:\Windows\SysWOW64\husjdd8s.exe	0f224c203013b0d3afbcd92267475d57.exe
File created	C:\Windows\SysWOW64\husjdd8s.exe	husjdd8s.exe
File created	C:\Windows\SysWOW64\KillMe.bat	0f224c203013b0d3afbcd92267475d57.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2264	0f224c203013b0d3afbcd92267475d57.exe
2264	0f224c203013b0d3afbcd92267475d57.exe
1812	husjdd8s.exe
1812	husjdd8s.exe
1812	husjdd8s.exe
1812	husjdd8s.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 488	2264	0f224c203013b0d3afbcd92267475d57.exe	93
PID 2264 wrote to memory of 488	2264	0f224c203013b0d3afbcd92267475d57.exe	93
PID 2264 wrote to memory of 488	2264	0f224c203013b0d3afbcd92267475d57.exe	93

C:\Users\Admin\AppData\Local\Temp\0f224c203013b0d3afbcd92267475d57.exe
"C:\Users\Admin\AppData\Local\Temp\0f224c203013b0d3afbcd92267475d57.exe"
1⤵
- Sets service image path in registry
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\KillMe.bat
  2⤵
  PID:488

C:\Windows\SysWOW64\husjdd8s.exe
C:\Windows\SysWOW64\husjdd8s.exe -j
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KillMe.bat

Filesize
211B

MD5
2d11dbd4ca21c26582126379d964ea49

SHA1
714714066033a3bce3d515923b4719b63daee35e

SHA256
7b41ab775bf61189a38e7199f5d7414a36a00eee37097235069be382b0edd793

SHA512
f900ad25dded7e65e2e5e524c92ffe8e763db8869daa3e4687f884aeacb0ce5b2f096b85ee7a4f93b7eb3cc015d153edb278b45abce2fec7ab18e3eb2ee25e7a

Download Submit
C:\Windows\SysWOW64\husjdd8s.exe

Filesize
43KB

MD5
0f224c203013b0d3afbcd92267475d57

SHA1
65cdbc2f24de2130ebb5f469f9ffa547a0950b3e

SHA256
94c935fd24fd29016877ef25d33f5afb8253706842a33cc5b482bb3bc4fb928f

SHA512
141099f1c08f4b1f39a5958b1e372c2cbabd40e616c168dce5b03bd0b80289c9814cc8699f36be8907ade58aeb42efccddea81bb4b088ea18d336f66fcc8aa5f

Download Submit
memory/1812-6-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1812-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1812-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2264-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2264-1-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2264-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download