422615c8d808550754675e825e1af240833928de9f8da026008b22ada2f16cd7

Reason

Machine shutdown

General

Target

0F8498114C7A081EE0630A00BA4DFF2E.exe
Size

782KB
MD5

8e2f08deaac5bddbb57f3c5d40ea8bd0
SHA1

be7842f6e42e7ec89285ef2c65f84952ffebdbd5
SHA256

59559873eaa5a5b25f029c6768a22d3e84b03b7467cc764ea5f081edc0bfeb58
SHA512

ac2e98db25f2a867383d47f77076b0133242f6492eab7578db557b8c56a57443525f8a57e76438462bc65d9d04a742ea646b1f1351d2970f29fa569debe3a200
SSDEEP

24576:3fLMW38ZStHH1tbAKovtn2X4nTFu8EG4W4:voJZ8HH1tPovtnc4TFcG4W4

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

0F8498114C7A081EE0630A00BA4DFF2E.exe

pid process

2536 0F8498114C7A081EE0630A00BA4DFF2E.exe

pid	process
2536	0F8498114C7A081EE0630A00BA4DFF2E.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Larvefdders = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Hyperite\\Skibsstningers.exe"	wab.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

2292 wab.exe
2292 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0F8498114C7A081EE0630A00BA4DFF2E.exewab.exe

pid process

2536 0F8498114C7A081EE0630A00BA4DFF2E.exe
2292 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0F8498114C7A081EE0630A00BA4DFF2E.exe

description pid process target process

PID 2536 set thread context of 2292 2536 0F8498114C7A081EE0630A00BA4DFF2E.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0F8498114C7A081EE0630A00BA4DFF2E.exe

pid process

2536 0F8498114C7A081EE0630A00BA4DFF2E.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2292 wab.exe

pid	process
2292	wab.exe
2292	wab.exe

pid	process
2536	0F8498114C7A081EE0630A00BA4DFF2E.exe
2292	wab.exe

description	pid	process	target process
PID 2536 set thread context of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe

pid	process
2536	0F8498114C7A081EE0630A00BA4DFF2E.exe

pid	process
2292	wab.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0F8498114C7A081EE0630A00BA4DFF2E.exe

description	pid	process	target process
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe
PID 2536 wrote to memory of 2292	2536	0F8498114C7A081EE0630A00BA4DFF2E.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\0F8498114C7A081EE0630A00BA4DFF2E.exe
"C:\Users\Admin\AppData\Local\Temp\0F8498114C7A081EE0630A00BA4DFF2E.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536

C:\Program Files (x86)\windows mail\wab.exe
"C:\Users\Admin\AppData\Local\Temp\0F8498114C7A081EE0630A00BA4DFF2E.exe"
2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1bb973ef3ba540915be432c464994668

SHA1
c720fd319ce4d02b2c0f78ec0759487a9a9310b1

SHA256
8fa35469603c0b0d1d5808cc7bbf128a7f07cb00a6928de1c347df4f50a12e98

SHA512
bd6390ea33e7089c83012b2fa696d7f04cfd5df60c16b39020e2bc32a58d103d5ba2692a487a06d3717b9760d1586a0932096a73a3df5510f07995b9193beed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
e056f254293634998e3200c05dc91d96

SHA1
be07fa133aa776550c2777fed12bd9c4298a5b4b

SHA256
2bf00839c4918decd5fbf69eaa66ff2872d4c49ff7744506e030409342a1855e

SHA512
065798589e820a296c4cd6a663e9e61902da5ed00400520ce3caa67d9f6b9ae9f0bca08bb950358ae02cda0f7735bd4126e3ba8710a9ed8eca76b45ce28a7b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC6A.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nsiE16.tmp\System.dll
Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/2292-170-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-152-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-21-0x0000000077576000-0x0000000077577000-memory.dmp

Filesize
4KB

Download
memory/2292-22-0x0000000077540000-0x0000000077616000-memory.dmp

Filesize
856KB

Download
memory/2292-143-0x0000000000A50000-0x00000000044EF000-memory.dmp

Filesize
58.6MB

Download
memory/2292-145-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-144-0x0000000077540000-0x0000000077616000-memory.dmp

Filesize
856KB

Download
memory/2292-146-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-147-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-148-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-149-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-150-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-151-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-173-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-153-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-154-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-155-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-156-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-157-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-158-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-159-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-160-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-161-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-163-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-164-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-165-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-166-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-167-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-168-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-169-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-174-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-171-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-177-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-20-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-19-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/2292-175-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-176-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-172-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-178-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-179-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-180-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-181-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-182-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-183-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-184-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-186-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-185-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-187-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-188-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-189-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-190-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-191-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-192-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-193-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-194-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-195-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-196-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-197-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-198-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-199-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-200-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-203-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2292-204-0x00000000716C0000-0x0000000072722000-memory.dmp

Filesize
16.4MB

Download
memory/2536-16-0x0000000077350000-0x00000000774F9000-memory.dmp

Filesize
1.7MB

Download
memory/2536-17-0x0000000077540000-0x0000000077616000-memory.dmp

Filesize
856KB

Download
memory/2536-18-0x0000000074870000-0x0000000074877000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads