Overview
overview
3Static
static
1x64/ProcessHacker.exe
windows10-2004-x64
1x64/ProcessHacker.sig
windows10-2004-x64
3x64/kproce...er.sys
windows10-2004-x64
1x64/peview.exe
windows10-2004-x64
3x64/plugin...ls.dll
windows10-2004-x64
1x64/plugin...ns.dll
windows10-2004-x64
1x64/plugin...es.dll
windows10-2004-x64
1x64/plugin...ls.dll
windows10-2004-x64
1x64/plugin...es.dll
windows10-2004-x64
1x64/plugin...ls.dll
windows10-2004-x64
1x64/plugin...ks.dll
windows10-2004-x64
1x64/plugin...rt.dll
windows10-2004-x64
1x64/plugin...us.dll
windows10-2004-x64
1x64/plugin...er.dll
windows10-2004-x64
1x64/plugin...es.dll
windows10-2004-x64
1x64/plugin...er.dll
windows10-2004-x64
1x86/ProcessHacker.exe
windows10-2004-x64
1x86/ProcessHacker.sig
windows10-2004-x64
3x86/kproce...er.sys
windows10-2004-x64
1x86/peview.exe
windows10-2004-x64
3x86/plugin...ls.dll
windows10-2004-x64
1x86/plugin...ns.dll
windows10-2004-x64
1x86/plugin...es.dll
windows10-2004-x64
1x86/plugin...ls.dll
windows10-2004-x64
1x86/plugin...es.dll
windows10-2004-x64
1x86/plugin...ls.dll
windows10-2004-x64
1x86/plugin...ks.dll
windows10-2004-x64
1x86/plugin...rt.dll
windows10-2004-x64
1x86/plugin...us.dll
windows10-2004-x64
1x86/plugin...er.dll
windows10-2004-x64
1x86/plugin...es.dll
windows10-2004-x64
1x86/plugin...er.dll
windows10-2004-x64
1Analysis
-
max time kernel
1799s -
max time network
1486s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11-02-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
x64/ProcessHacker.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
x64/ProcessHacker.sig
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
x64/kprocesshacker.sys
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
x64/peview.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
x64/plugins/DotNetTools.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
x64/plugins/ExtendedNotifications.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
x64/plugins/ExtendedServices.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
x64/plugins/ExtendedTools.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
x64/plugins/HardwareDevices.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
x64/plugins/NetworkTools.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
x64/plugins/OnlineChecks.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
x64/plugins/SbieSupport.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
x64/plugins/ToolStatus.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
x64/plugins/Updater.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
x64/plugins/UserNotes.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
x64/plugins/WindowExplorer.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
x86/ProcessHacker.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
x86/ProcessHacker.sig
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
x86/kprocesshacker.sys
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
x86/peview.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
x86/plugins/DotNetTools.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
x86/plugins/ExtendedNotifications.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
x86/plugins/ExtendedServices.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
x86/plugins/ExtendedTools.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
x86/plugins/HardwareDevices.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
x86/plugins/NetworkTools.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
x86/plugins/OnlineChecks.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
x86/plugins/SbieSupport.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
x86/plugins/ToolStatus.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
x86/plugins/Updater.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
x86/plugins/UserNotes.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
x86/plugins/WindowExplorer.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
x86/ProcessHacker.exe
-
Size
1.4MB
-
MD5
68f9b52895f4d34e74112f3129b3b00d
-
SHA1
c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e
-
SHA256
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
-
SHA512
1cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede
-
SSDEEP
24576:fsmjNvgp+pxECAucO9iWFT0z7rLuUhFP3MGX:PFgpAiIiWdzUz35X
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ProcessHacker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ProcessHacker.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ProcessHacker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 ProcessHacker.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ProcessHacker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 568 ProcessHacker.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 568 ProcessHacker.exe Token: SeIncBasePriorityPrivilege 568 ProcessHacker.exe Token: 33 568 ProcessHacker.exe Token: SeLoadDriverPrivilege 568 ProcessHacker.exe Token: SeProfSingleProcessPrivilege 568 ProcessHacker.exe Token: SeRestorePrivilege 568 ProcessHacker.exe Token: SeShutdownPrivilege 568 ProcessHacker.exe Token: SeTakeOwnershipPrivilege 568 ProcessHacker.exe Token: SeManageVolumePrivilege 4296 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe 568 ProcessHacker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\x86\ProcessHacker.exe"C:\Users\Admin\AppData\Local\Temp\x86\ProcessHacker.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:568
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD55673e26152c91309372aa38acfe6c763
SHA1c406a4c1092e88220a74cc55bed179d5f7a32735
SHA2562025876cea973165dab4a816544185c25c08bd540523d78dfdd379f96ed6bcd3
SHA5122d6328bb217f7592685827e31737641d828292105e4f2a79bd8d6ba3dd95eadad8112614262ebc024be7f53ac7af9a4a5e8c571dc550955d327949b5ffc3f7f5