08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hulu.exe
Size

1.4MB
MD5

64be5264f3a58325446865be38c05b34
SHA1

fdbad9468075747a4999b7b30fa7cb7b60fdcb4e
SHA256

561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
SHA512

d48fac03082d1f12cf1d175978f64e9d2df467828601b34474c77bf139c6c0dae5002ad2f1e106c46e6fb6c4ef8083e011931a74dd0adcbb0a43cdeae16cd0d0
SSDEEP

24576:Z53uhF9SQLLqzkUQrRjlOYvsiEP+tsDirDlmLrgH4tN96yk8ISOm1w+p6njCph5r:Z5+hFsQLLqAllIqsDirDlAOUw+4852Y

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GRyYpiVyQV.url	Custodiva.exe.com

Executes dropped EXE 3 IoCs

pid	Process
2684	Custodiva.exe.com
2156	Custodiva.exe.com
1952	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2376	cmd.exe
2156	Custodiva.exe.com
1952	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 1952	2156	Custodiva.exe.com	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2560	PING.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2380	2336	Hulu.exe	28
PID 2336 wrote to memory of 2380	2336	Hulu.exe	28
PID 2336 wrote to memory of 2380	2336	Hulu.exe	28
PID 2336 wrote to memory of 2380	2336	Hulu.exe	28
PID 2336 wrote to memory of 2860	2336	Hulu.exe	30
PID 2336 wrote to memory of 2860	2336	Hulu.exe	30
PID 2336 wrote to memory of 2860	2336	Hulu.exe	30
PID 2336 wrote to memory of 2860	2336	Hulu.exe	30
PID 2860 wrote to memory of 2376	2860	cmd.exe	32
PID 2860 wrote to memory of 2376	2860	cmd.exe	32
PID 2860 wrote to memory of 2376	2860	cmd.exe	32
PID 2860 wrote to memory of 2376	2860	cmd.exe	32
PID 2376 wrote to memory of 2692	2376	cmd.exe	33
PID 2376 wrote to memory of 2692	2376	cmd.exe	33
PID 2376 wrote to memory of 2692	2376	cmd.exe	33
PID 2376 wrote to memory of 2692	2376	cmd.exe	33
PID 2376 wrote to memory of 2684	2376	cmd.exe	34
PID 2376 wrote to memory of 2684	2376	cmd.exe	34
PID 2376 wrote to memory of 2684	2376	cmd.exe	34
PID 2376 wrote to memory of 2684	2376	cmd.exe	34
PID 2376 wrote to memory of 2560	2376	cmd.exe	35
PID 2376 wrote to memory of 2560	2376	cmd.exe	35
PID 2376 wrote to memory of 2560	2376	cmd.exe	35
PID 2376 wrote to memory of 2560	2376	cmd.exe	35
PID 2684 wrote to memory of 2156	2684	Custodiva.exe.com	36
PID 2684 wrote to memory of 2156	2684	Custodiva.exe.com	36
PID 2684 wrote to memory of 2156	2684	Custodiva.exe.com	36
PID 2684 wrote to memory of 2156	2684	Custodiva.exe.com	36
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37
PID 2156 wrote to memory of 1952	2156	Custodiva.exe.com	37

C:\Users\Admin\AppData\Local\Temp\Hulu.exe
"C:\Users\Admin\AppData\Local\Temp\Hulu.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo xlEPMOAZC
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Strazii.xlsm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^unowfSGqElRNjSdIsHGXTopdtGkBtbAqMZrTUgLOVVaETGrALikdphrYfSXIHyWiJRqhPbOeWSeXPEbbDKPWjlRmWyDwsruPYkUwFPLgzoxdlypLcmyWfqVmqBsKTMLSLjYEJcRNZBDrPAgQW$" Nel.xlm
      4⤵
      PID:2692
  - - C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com
      Custodiva.exe.com x
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com
        
        C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com x
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe
        
        C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1952
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZQRUckiycX\GRyYpiVyQV.com

Filesize
640KB

MD5
0f9e52647c9bca86271dd1f083d1aff0

SHA1
491929a693d3bff3fce9bdcbd9519abb55a48380

SHA256
0388659a1b9a41958aada46b63ab4450448b1bdf43720bbf11518ba733abed6a

SHA512
24cbdfad928525f492f1d261efff1f98f2c011fdabdb6a542cb8d8400f465ae007a712daa6cd3fec5350f2a2a56229d81912070c8f4cfbc1325dfab8472a964a

Download Submit
C:\Users\Admin\AppData\Roaming\ZQRUckiycX\uEwZHsXOv

Filesize
702KB

MD5
f2d508021b63441816dd8849967507dc

SHA1
81da738bddba26c9e093a1d482056dc8859a59bb

SHA256
6122ba2d70f52023eacd0ad77b0cf5a417384e8ae0fa06192c41adea3901f9cd

SHA512
15d7f12e1ba7eee5466407ef5a9ca0ba65a03046534424abff2dea99a3e52e1eac05a97f9e90ade89f174711197134f0287d52afcbd7106f059c905c07367781

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Hai.adts

Filesize
1.1MB

MD5
c40aedf42a2a6ac7180faf758d9226d3

SHA1
b2b08f15c7a44ced41c6bd5b4e6ad7633f52c232

SHA256
16c8eba47d5fe03f6b585167bb6fca9c1a84a5d1d618856cf276928023db9c91

SHA512
a461c75a6f66af825e90c0dd26a019ed2c52828365bed405cdb8c2c57a910b0d4213107793074539a9acc25369ab51091f55d75120b7416ae3eb72d454db2e36

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Nel.xlm

Filesize
921KB

MD5
b85b38b10451939fc1854101c956bdf2

SHA1
6dc475a8af192ce80c21375a5437ebf551e26302

SHA256
b3ab31be73fa197a1f5b481642a8516d0a35dfff16b8fad828819af51a6263ff

SHA512
127304b38576d66c8bfa111d9ec6edd5fe6c886132d772586d68745580072a0c39a23100652293bc181a10b04466af3651ec00c7b8f6dcf0a6495be441f7e0bc

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Sofferenza.pdf

Filesize
293KB

MD5
ceb6206dda91fc75b5b14fe0c9e250ce

SHA1
9580b353c97d26cbd9a457d86cdda0ff7c2bbd3e

SHA256
9fe0fecab9769c4fa65ee5a7bf666e260e227cf66778bd70e16e7279d05af2c9

SHA512
dc16452cbd96c2692e211587f097e0897a02cfd30a60b53f12038be609dc68aed12d56646f2aba147866a723ea3fb52871f0a5baa68b453487906bb910d7d53b

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Strazii.xlsm

Filesize
115KB

MD5
3d8bd8c68f1a36d9a6b4d9763fb3fd6e

SHA1
c16b2ee9471188ac135c7d4546fe4c47001e3e3c

SHA256
23603f51bfe4e2dd093fffb07d07e7cddac50affdfc6359903b03d53e282f0f1

SHA512
ab65dc9d786f0e9520ff500c3d00ca8f872b10bc777ea2d4dc9765dd63bf693f1ba16de2f7a186dd1ffb6e314ef23558040ae62d0956b4f80c8aa74ed2399579

Download Submit
\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1952-33-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/1952-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1952-36-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/1952-37-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/1952-31-0x0000000000250000-0x00000000002A0000-memory.dmp

Filesize
320KB

Download
memory/2156-29-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download