Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
85ce21f3dc8f10a0366bc670d42bbd67.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
85ce21f3dc8f10a0366bc670d42bbd67.exe
Resource
win10v2004-20231215-en
General
-
Target
85ce21f3dc8f10a0366bc670d42bbd67.exe
-
Size
26KB
-
MD5
85ce21f3dc8f10a0366bc670d42bbd67
-
SHA1
bd825287d79b3cb80756bcc3994143336a4aded7
-
SHA256
75ef989e2ae793212683181054955442bba047f350eb3e3b073155780688a16b
-
SHA512
96438d84b7745d719cadcdda629a6e9527cee80aa9839515939d016757a369b3c0012ee6aabb3c075e3278fefa12f98e110da769ce764f1b2b643ace131ada7d
-
SSDEEP
384:IyYk+GmqMCe1szkdQ8a5/EY+0OdAJO0lv1xBqIWUNVYzBSl2qMsv:Im+5qLe1szk+dEYU81X/4BSlSsv
Malware Config
Signatures
-
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hws.exe -
Executes dropped EXE 1 IoCs
pid Process 1544 hws.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\hws = "C:\\Windows\\hws.exe" 85ce21f3dc8f10a0366bc670d42bbd67.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hws = "C:\\Windows\\hws.exe" 85ce21f3dc8f10a0366bc670d42bbd67.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\hws = "C:\\Windows\\hws.exe" hws.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hws = "C:\\Windows\\hws.exe" hws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\url = "http://www.52011.com" hws.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\hws.exe 85ce21f3dc8f10a0366bc670d42bbd67.exe File opened for modification C:\Windows\hws.exe 85ce21f3dc8f10a0366bc670d42bbd67.exe File created C:\Windows\hws.exe hws.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main hws.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Ãâ·Ñ¿´µçÓ°http://www.52011.com" hws.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main hws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window Title = "Ãâ·Ñ¿´µçÓ°http://www.52011.com" hws.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.52011.com" hws.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.52011.com" hws.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe 1544 hws.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3412 wrote to memory of 1544 3412 85ce21f3dc8f10a0366bc670d42bbd67.exe 86 PID 3412 wrote to memory of 1544 3412 85ce21f3dc8f10a0366bc670d42bbd67.exe 86 PID 3412 wrote to memory of 1544 3412 85ce21f3dc8f10a0366bc670d42bbd67.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ce21f3dc8f10a0366bc670d42bbd67.exe"C:\Users\Admin\AppData\Local\Temp\85ce21f3dc8f10a0366bc670d42bbd67.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\hws.exeC:\Windows\hws.exe2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
PID:1544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD585ce21f3dc8f10a0366bc670d42bbd67
SHA1bd825287d79b3cb80756bcc3994143336a4aded7
SHA25675ef989e2ae793212683181054955442bba047f350eb3e3b073155780688a16b
SHA51296438d84b7745d719cadcdda629a6e9527cee80aa9839515939d016757a369b3c0012ee6aabb3c075e3278fefa12f98e110da769ce764f1b2b643ace131ada7d