e22bda91d9a3fc82656d1c67c1f76b2291c3634e3759f701cd09b192d10970d6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

971b2fc3e80f49f11f6450d19328c19f.exe
Size

572KB
MD5

971b2fc3e80f49f11f6450d19328c19f
SHA1

9f3357b0b3a56c65e0acc1f1654c209bfb5cb122
SHA256

e22bda91d9a3fc82656d1c67c1f76b2291c3634e3759f701cd09b192d10970d6
SHA512

527a23236cf122fba637d5c777a20e5f61218c5b68ed63f8e1d315ad6b283747c5b173c0e28a6ec627cfd8fbad4c51a86a0161d3ac465c8670e9d3b69082adf0
SSDEEP

12288:XwQutTwfZG/tc+CWbbf15Grtjcw2VTmmM3GCy5s8ntUl:A/tTmZG/eDWbxkjcw2VTw3GnK80

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2692	huzi.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	cmd.exe
2548	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001220d-26.dat	upx
behavioral1/memory/2692-32-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2692-50-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dbg.kml	huzi.exe
File created	C:\Windows\SysWOW64\rasadhlp_.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\rasadhlp_.dll	rundll32.exe
File created	C:\Windows\SysWOW64\rasadhlp.dll	rundll32.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	rundll32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\dc.tmp	huzi.exe
File created	C:\Windows\dc.tmp1	huzi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2480	2492	WerFault.exe	35

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2492	rundll32.exe
2492	rundll32.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2548	2996	971b2fc3e80f49f11f6450d19328c19f.exe	28
PID 2996 wrote to memory of 2548	2996	971b2fc3e80f49f11f6450d19328c19f.exe	28
PID 2996 wrote to memory of 2548	2996	971b2fc3e80f49f11f6450d19328c19f.exe	28
PID 2996 wrote to memory of 2548	2996	971b2fc3e80f49f11f6450d19328c19f.exe	28
PID 2996 wrote to memory of 1704	2996	971b2fc3e80f49f11f6450d19328c19f.exe	30
PID 2996 wrote to memory of 1704	2996	971b2fc3e80f49f11f6450d19328c19f.exe	30
PID 2996 wrote to memory of 1704	2996	971b2fc3e80f49f11f6450d19328c19f.exe	30
PID 2996 wrote to memory of 1704	2996	971b2fc3e80f49f11f6450d19328c19f.exe	30
PID 2548 wrote to memory of 2692	2548	cmd.exe	32
PID 2548 wrote to memory of 2692	2548	cmd.exe	32
PID 2548 wrote to memory of 2692	2548	cmd.exe	32
PID 2548 wrote to memory of 2692	2548	cmd.exe	32
PID 2692 wrote to memory of 2476	2692	huzi.exe	34
PID 2692 wrote to memory of 2476	2692	huzi.exe	34
PID 2692 wrote to memory of 2476	2692	huzi.exe	34
PID 2692 wrote to memory of 2476	2692	huzi.exe	34
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2476 wrote to memory of 2492	2476	cmd.exe	35
PID 2492 wrote to memory of 2480	2492	rundll32.exe	36
PID 2492 wrote to memory of 2480	2492	rundll32.exe	36
PID 2492 wrote to memory of 2480	2492	rundll32.exe	36
PID 2492 wrote to memory of 2480	2492	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\971b2fc3e80f49f11f6450d19328c19f.exe
"C:\Users\Admin\AppData\Local\Temp\971b2fc3e80f49f11f6450d19328c19f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe
    C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c rundll32.exe C:\Windows\dc.tmp1 Run C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\dc.tmp1 Run C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 240
        6⤵
        Program crash
        
        PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\Temp\¶á±¦´«ÊÀÍõÕßÍâ¹ÒÍÑ»ú°æ1.00.exe.bat" "
  2⤵
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe

Filesize
17KB

MD5
baba3076ac741ad7272e8657ad3ad2f5

SHA1
68af9af71e16f21019a1245ec8f6369349001ebe

SHA256
0f973ff7812c7dfc1b1830b44509437ce73f4952db37105cf5eeef8f477f3620

SHA512
d6eaa0f8677913a09c39bb4e44ab97ff577b90f62895472e636859a07d1b909a03eca73efe64c160a3821895ac51fe8c074972ba04b3b42f7996b1adedcf227e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\huzi.exe.bat

Filesize
152B

MD5
3505c9f59bf46941b358bdb45e19a540

SHA1
4ae610d356e896994cf5fc18d19e9a5e0a78a5e9

SHA256
2e92365528dcb5cb2616321701cce172bd5f2d5ebbb800a9643fa735198ca619

SHA512
a4c08d2279d9d70506811d491c2b574808f95b8787a0c1ab50611f041030550948dbe31cf4ec5dce99eed435fc3da6831a0ef6f7af43112bd9f251abcf5aebf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp\¶á±¦´«ÊÀÍõÕßÍâ¹ÒÍÑ»ú°æ1.00.exe.bat

Filesize
154B

MD5
7c3d2ae37c3b90d1ed2172c96359c711

SHA1
f3cc83a6b57944213608fca3020ace13d6dcdcad

SHA256
2e2b3b3dff9b163f4346195e768e78967ae98749274bb433f420911eb36a9f93

SHA512
0563bd4afe139cdd610a3df1fdd9d2b9ae5cc475e956513fa07543d25b1c77a8f17dd6104e0b9835f6646d6aeaeb21fca7b11e257c56bf1d95b4899112e04d1a

Download Submit
C:\Windows\dc.tmp1

Filesize
40KB

MD5
0713c6e28b6d7f2e7aef2f35a96d8035

SHA1
b0f129b655927ff1927b16e9a47c728e0e544529

SHA256
4f7b6f6f24d48142b135b4b85d8fe24f44923d1b02c26d6094827cc14b236414

SHA512
69a99a65ac02d151583e635fb48ad5830ba754d64e8f26a37b9fe0807e073bbccac238aaf9801fccad81c74f81bfdc169e26e05aeca00c92ef8bf4153c1dc902

Download Submit
memory/1704-40-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2692-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2692-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download