33cb5bc0b6a2ee301ac0aa50fed0e36cdd1137e59c2cf89afa641ef1f01edda1

Analysis

max time kernel
211s
max time network
230s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 07:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

403eac6f3d9cd3f758cafbcb2571c5e5.exe
Size

1.4MB
MD5

403eac6f3d9cd3f758cafbcb2571c5e5
SHA1

67930168656cee03f427f077387106b00227b8d0
SHA256

33cb5bc0b6a2ee301ac0aa50fed0e36cdd1137e59c2cf89afa641ef1f01edda1
SHA512

83276833284ad64c4558a3a4293b72d2456c5a28f2487b76e94c719825e6400998faa00ffe8dd6c28cc49ec27c18cba06d12fae9da486f3248fc1c11dbc95969
SSDEEP

24576:YW/MfHeQFPao3rtVvGmfO4RcCHCTr4WH4y6b5rBwun5Sd5wC2c+Z08Cz/M:YqyPaIqmfO4SCHGr4WYy69rBwOUdFD+m

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2436	FileHunter.exe
2920	pumpa.exe

Loads dropped DLL 9 IoCs

pid	Process
1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe
1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2920	pumpa.exe
2920	pumpa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\FileHunter Check for updates = "C:\\Users\\Admin\\AppData\\Roaming\\FileHunter\\update.exe"	403eac6f3d9cd3f758cafbcb2571c5e5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe
2436	FileHunter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	FileHunter.exe
2436	FileHunter.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 1632 wrote to memory of 2436	1632	403eac6f3d9cd3f758cafbcb2571c5e5.exe	29
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31
PID 2436 wrote to memory of 2920	2436	FileHunter.exe	31

C:\Users\Admin\AppData\Local\Temp\403eac6f3d9cd3f758cafbcb2571c5e5.exe
"C:\Users\Admin\AppData\Local\Temp\403eac6f3d9cd3f758cafbcb2571c5e5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe
  "C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe" ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe
    "C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
809KB

MD5
86a2917daa7cb81b8b291fca6c42a93e

SHA1
b77e3d0ac90ec60e02a1fc19d91c9c87485243b1

SHA256
45310cd3d7f4869036157e56f10e617961496a05148157df164968bda96222df

SHA512
80a4aaa764f3433e452d1fe7ac7202fd5dc2ab9c951d4c464c4d7ca6d13a5faeb83b4d8bb0a8b2f7cd9068cf22d3b627287fe699e3c6c97ef84af0427f820adb

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.0MB

MD5
41d7cc9e7c5801bf4d9c3b6b41bbdc98

SHA1
5695b6f6704db13c75d9fa4b9a7eab02bf9dcee4

SHA256
abb1dabfbeebe90e4112401031d3421adc6bb7ad4d0067ac2c82d8f76fffb9d3

SHA512
41dd315504a8231363e1c8163ab3e2d4fd979f4c7e1dbe922df39a80ba25889676564a060824cb4c71959a32cef448bcc324d67e6b57428decbe4a52a75fcbc9

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
597KB

MD5
ef77dda535c36cf01f632f2d753b9987

SHA1
cd1fba10146f3eb0303c47c93bc9a70f0684de5b

SHA256
72aba19bb3cfa5b69e1e1c2eea36c43adf38764bc6c3c791adbaefd7749fa88d

SHA512
10a350424e4e706cad45becb51f8561ed4cd3ab85900b1ad0ae742d3a354c2ed2d9bd33297670f8245fb74271e4ca0462eeabd7aa4627206a672bbd63dd2577b

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
9KB

MD5
096abf9c5b5c78af4ab2ce891106177c

SHA1
636836dd8c439ec23dcf0689de5e1052ccb6c51a

SHA256
479f0cedb8dbe10cf8911cabc9f92c2b33b99e99a6b5c7d190d74775c919e9b0

SHA512
5a2210c2b01d30eaa7941605030b505c81e48696e2e859e87246ca91eb9c91393b7c429c2bd8f60b036aec7bf8e6c384b21a2704483584f49489ecc337e2e95d

Download Submit
C:\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
438KB

MD5
95370f927eaa4c6ee09292cee98c283e

SHA1
f2e999633bda9eddf24116c23488dedab385a049

SHA256
2e3fb7016d9ef98c5130377baf7a0a1a4b886bd0d9cf079a3cab40d6182718af

SHA512
4662f7e9e7947292e182f3d74bcbf63b75f09326d78ac5f23f3529af74a06f70d47832e05b677641aa5a2e75b0a0951ef8f15bd1cbccaf4f06b64caed18dc333

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.0MB

MD5
c7f7595b6cab299e7c9e8a9981590f9c

SHA1
76a2ad1290205951a5dad571e77af0642fbd7ec5

SHA256
8ea3df85ba30af8c7cebf2808900b114b382f608d831a114ba8a263a1917fec8

SHA512
7099720b5bb2a0367055e65d4d327cd95e7949b3a65db5885fb21355d984c48d5b0e58c715d992df3516942c63ef1b104a8b5aa44d43bbff4706473d66ffda05

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
641KB

MD5
7313caede83840ef8513cca40ac0e7ba

SHA1
f9355c12f13513e2c91be2e162becc3176c3801e

SHA256
883030cc9c6a3fbbb447a2755c3ec1b021d316e883c58a6e9fb17a668cf500d7

SHA512
ed0dd77fcd73b096c2359fa71705792380d846bbeaf20ad454278feb5b3f2ee56177115bca2350091059e9e0746127f184ff059264afe9000f0f1404e0a5dc32

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
763KB

MD5
9b99b00751edc713ae28b95589609a9e

SHA1
a085f4b279d06858314694b9de85943053b5b054

SHA256
49771c11ab7cde80f473ae80f64106d79b6b52ecc0e68826e6432bd773462067

SHA512
f876a5c642554887115aa6e0ac1f4caab17fd4a4e1f1de2e9d0300148d1cacebbf8d6d53a604566bf51e4a2d6200bcc5a7ef4c6ab47129ab1f7797f51266f96d

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
2KB

MD5
fcd61c8d5d5de37e64373b4217b7bda1

SHA1
d0d5882a0d8a98242025f34ca734335b65638a30

SHA256
a83695e0b687f66fb619bbfc3d886494d30c3a12913db3dfd98c57a7279b5b50

SHA512
d6a25fbe7e21ec0eb22ca1f5802935dd990bdb8c34da16af707ef384da6fcac50bed79a59358730ec334a50eeaa614a3d0aa4700b4f50aef99345e094769f985

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\FileHunter.exe

Filesize
1.3MB

MD5
0d20e5522926691ec35e29c8bcf414f9

SHA1
7e7e1f96f265dd30c1a35dd445532525c66c002c

SHA256
147e4e7b491fe7ef18b5b539208e3e5ee07c129fdd1862c856faf48d518efd90

SHA512
c04253262f1973d9d5aa7258e829d5e7b68dc2121b831966e64731bd1c5ac1ebfb2dd2fef88725d61b20a5d26114ca1122576c020e421c6c7e920f1a578ab86e

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
454KB

MD5
2634e1b847c809c83361ccc66dc91cc2

SHA1
b946ca84b668e889d587751f1ac74d485e7ecf06

SHA256
b38997e689ae6e7d77402aca5e375fe7b4c66b329018d80f589e16bd8840c698

SHA512
25103577ee07094c4c924ed3aa2c496da7430765abc2c9e7ed13b80b6d1be05d35aec972f59d9d1853646c79a146649ceb432bbd55b904a48db12d0f89165da0

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
344KB

MD5
dfa0074333a9c8e6776334340f58c18d

SHA1
cc3090ec834a393a9844b94791c1bb2e653b787e

SHA256
513c2ba0e2312762359fea84395300501e68bb44b9d0ea02c1c29e7c8c990a14

SHA512
4b643c9ee2e710455de77c09ef7dda0f8523e2cd9f4d63ce9d0ac6f528c6c00936211f4c83aee78ac44b717602c5bf3327da6cb28b2ac15dad8e340534a39aed

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
361KB

MD5
1acab3896f413409a9eeed23238f791b

SHA1
de6584fab2c4866d4918ba98454d38f8269b03e0

SHA256
87c3027d2ea761906f68cdbd27e1d41bbc5cd48fd965cee32c43a13432ed8e07

SHA512
47427f39f83eabcfb10313ebc32daa02434e83d07a0f1863ea390f193cd001f7cffedc5f94a1797178fc58cfd1191cc84f5310fbc0dd786bb58a6b6bbcb935c8

Download Submit
\Users\Admin\AppData\Roaming\FileHunter\pumpa.exe

Filesize
505KB

MD5
6c264fe8e8f929a7c68be6bb544747d9

SHA1
bbf744de57c259acd8c39133ab5025048e55a703

SHA256
4a7161a3ecd83e14376f5a137f13eca9935ed29ddf294aea1be2976f00b7428e

SHA512
fb650a1676768fcbcc0634e8a02eeca7307c495ebd4b9dab7559b6b6746cd4400414381442b6deeb422d3d1ae2b4072e2c6d1d7ecee09ca67ae9f8bd997a305a

Download Submit
memory/2436-24-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download