08d215fd35494280e6397e8bc527bd6de64eb78a73acd3bd07a01da376ed4cb7

Analysis

max time kernel
135s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hulu.exe
Size

1.4MB
MD5

64be5264f3a58325446865be38c05b34
SHA1

fdbad9468075747a4999b7b30fa7cb7b60fdcb4e
SHA256

561a8b830e902a0ba18457a0aa8db8a8c663de8ee33e6009f236cedff00f8cbb
SHA512

d48fac03082d1f12cf1d175978f64e9d2df467828601b34474c77bf139c6c0dae5002ad2f1e106c46e6fb6c4ef8083e011931a74dd0adcbb0a43cdeae16cd0d0
SSDEEP

24576:Z53uhF9SQLLqzkUQrRjlOYvsiEP+tsDirDlmLrgH4tN96yk8ISOm1w+p6njCph5r:Z5+hFsQLLqAllIqsDirDlAOUw+4852Y

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Hulu.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation Hulu.exe
Drops startup file 1 IoCs

Processes:

Custodiva.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GRyYpiVyQV.url Custodiva.exe.com
Executes dropped EXE 3 IoCs

Processes:

Custodiva.exe.comCustodiva.exe.comRegAsm.exe

pid process

5088 Custodiva.exe.com
3736 Custodiva.exe.com
2964 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Custodiva.exe.com

description pid process target process

PID 3736 set thread context of 2964 3736 Custodiva.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2852 PING.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Hulu.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GRyYpiVyQV.url	Custodiva.exe.com

pid	process
5088	Custodiva.exe.com
3736	Custodiva.exe.com
2964	RegAsm.exe

description	pid	process	target process
PID 3736 set thread context of 2964	3736	Custodiva.exe.com	RegAsm.exe

pid	process
2852	PING.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Hulu.execmd.execmd.exeCustodiva.exe.comCustodiva.exe.com

description	pid	process	target process
PID 5060 wrote to memory of 3576	5060	Hulu.exe	cmd.exe
PID 5060 wrote to memory of 3576	5060	Hulu.exe	cmd.exe
PID 5060 wrote to memory of 3576	5060	Hulu.exe	cmd.exe
PID 5060 wrote to memory of 5048	5060	Hulu.exe	cmd.exe
PID 5060 wrote to memory of 5048	5060	Hulu.exe	cmd.exe
PID 5060 wrote to memory of 5048	5060	Hulu.exe	cmd.exe
PID 5048 wrote to memory of 3288	5048	cmd.exe	cmd.exe
PID 5048 wrote to memory of 3288	5048	cmd.exe	cmd.exe
PID 5048 wrote to memory of 3288	5048	cmd.exe	cmd.exe
PID 3288 wrote to memory of 4112	3288	cmd.exe	findstr.exe
PID 3288 wrote to memory of 4112	3288	cmd.exe	findstr.exe
PID 3288 wrote to memory of 4112	3288	cmd.exe	findstr.exe
PID 3288 wrote to memory of 5088	3288	cmd.exe	Custodiva.exe.com
PID 3288 wrote to memory of 5088	3288	cmd.exe	Custodiva.exe.com
PID 3288 wrote to memory of 5088	3288	cmd.exe	Custodiva.exe.com
PID 3288 wrote to memory of 2852	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 2852	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 2852	3288	cmd.exe	PING.EXE
PID 5088 wrote to memory of 3736	5088	Custodiva.exe.com	Custodiva.exe.com
PID 5088 wrote to memory of 3736	5088	Custodiva.exe.com	Custodiva.exe.com
PID 5088 wrote to memory of 3736	5088	Custodiva.exe.com	Custodiva.exe.com
PID 3736 wrote to memory of 2964	3736	Custodiva.exe.com	RegAsm.exe
PID 3736 wrote to memory of 2964	3736	Custodiva.exe.com	RegAsm.exe
PID 3736 wrote to memory of 2964	3736	Custodiva.exe.com	RegAsm.exe
PID 3736 wrote to memory of 2964	3736	Custodiva.exe.com	RegAsm.exe
PID 3736 wrote to memory of 2964	3736	Custodiva.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Hulu.exe
"C:\Users\Admin\AppData\Local\Temp\Hulu.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo xlEPMOAZC
2⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Strazii.xlsm
2⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^unowfSGqElRNjSdIsHGXTopdtGkBtbAqMZrTUgLOVVaETGrALikdphrYfSXIHyWiJRqhPbOeWSeXPEbbDKPWjlRmWyDwsruPYkUwFPLgzoxdlypLcmyWfqVmqBsKTMLSLjYEJcRNZBDrPAgQW$" Nel.xlm
4⤵
PID:4112

C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com
Custodiva.exe.com x
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com x
5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe
6⤵
- Executes dropped EXE
PID:2964

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ZQRUckiycX\uEwZHsXOv
Filesize
1.1MB

MD5
97b0b795b4381a5615d947d06a57863f

SHA1
6aba8233ad08025999eefeaf2b3ef1c2b87d5b43

SHA256
388c88469163fa5c5203f2220eb2ab33657a70f6e54b31c892f08c41e6b655da

SHA512
462e0f05192741a6f0a74fabd3e3980e05639131e7885f4e4ec07f35c23907ea5771f2148a5845adb46779b179cc095a00dc610f0c8fd297ecc0901c02bccef4

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Custodiva.exe.com
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Hai.adts
Filesize
1.1MB

MD5
c40aedf42a2a6ac7180faf758d9226d3

SHA1
b2b08f15c7a44ced41c6bd5b4e6ad7633f52c232

SHA256
16c8eba47d5fe03f6b585167bb6fca9c1a84a5d1d618856cf276928023db9c91

SHA512
a461c75a6f66af825e90c0dd26a019ed2c52828365bed405cdb8c2c57a910b0d4213107793074539a9acc25369ab51091f55d75120b7416ae3eb72d454db2e36

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Nel.xlm
Filesize
921KB

MD5
b85b38b10451939fc1854101c956bdf2

SHA1
6dc475a8af192ce80c21375a5437ebf551e26302

SHA256
b3ab31be73fa197a1f5b481642a8516d0a35dfff16b8fad828819af51a6263ff

SHA512
127304b38576d66c8bfa111d9ec6edd5fe6c886132d772586d68745580072a0c39a23100652293bc181a10b04466af3651ec00c7b8f6dcf0a6495be441f7e0bc

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Sofferenza.pdf
Filesize
293KB

MD5
ceb6206dda91fc75b5b14fe0c9e250ce

SHA1
9580b353c97d26cbd9a457d86cdda0ff7c2bbd3e

SHA256
9fe0fecab9769c4fa65ee5a7bf666e260e227cf66778bd70e16e7279d05af2c9

SHA512
dc16452cbd96c2692e211587f097e0897a02cfd30a60b53f12038be609dc68aed12d56646f2aba147866a723ea3fb52871f0a5baa68b453487906bb910d7d53b

Download Submit
C:\Users\Admin\AppData\Roaming\rzVBBfiLGjYqEZEI\Strazii.xlsm
Filesize
115KB

MD5
3d8bd8c68f1a36d9a6b4d9763fb3fd6e

SHA1
c16b2ee9471188ac135c7d4546fe4c47001e3e3c

SHA256
23603f51bfe4e2dd093fffb07d07e7cddac50affdfc6359903b03d53e282f0f1

SHA512
ab65dc9d786f0e9520ff500c3d00ca8f872b10bc777ea2d4dc9765dd63bf693f1ba16de2f7a186dd1ffb6e314ef23558040ae62d0956b4f80c8aa74ed2399579

Download Submit
memory/2964-31-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/2964-27-0x0000000000DA0000-0x0000000000DF0000-memory.dmp

Filesize
320KB

Download
memory/2964-32-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/2964-33-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2964-39-0x0000000005A40000-0x0000000005C02000-memory.dmp

Filesize
1.8MB

Download
memory/2964-40-0x0000000005870000-0x00000000058E6000-memory.dmp

Filesize
472KB

Download
memory/2964-41-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/2964-42-0x0000000072F60000-0x0000000073710000-memory.dmp

Filesize
7.7MB

Download
memory/2964-43-0x00000000030A0000-0x00000000030B0000-memory.dmp

Filesize
64KB

Download
memory/3736-25-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download