7de0b0c73a1ac68d139fcbf86a273063b492aee06c5413afc1daaf4766fbe607

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d728245cb26b2042faed87b3aca567b4.exe
Size

180KB
MD5

d728245cb26b2042faed87b3aca567b4
SHA1

4d27bfa33015872590b0359cf0a4116dda2a4da6
SHA256

7de0b0c73a1ac68d139fcbf86a273063b492aee06c5413afc1daaf4766fbe607
SHA512

92bfbd7751378c5add6a37df12427e0876d0ab55e66e5842784836d2850e95399b8ef946845e62f14c75660bf1fb78637ccf1ded4137f49c1bdbb089e7a1de8b
SSDEEP

3072:GD4iRFGP+tbL8JsE8La7A+cga0ZjDY4Ryprng0bkyRz9kizAT5E4mQgH/1qN7Nnu:Ibns8L+A+na0ZjDLAg+HD/AdyhG5u

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2100	PSHope.exe

Loads dropped DLL 5 IoCs

pid	Process
3068	d728245cb26b2042faed87b3aca567b4.exe
3068	d728245cb26b2042faed87b3aca567b4.exe
2100	PSHope.exe
2100	PSHope.exe
2100	PSHope.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\PSHope = "\"C:\\Program Files (x86)\\PSHope\\PSHope.exe\""	d728245cb26b2042faed87b3aca567b4.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\PSHope\PSHope.exe	d728245cb26b2042faed87b3aca567b4.exe
File created	C:\Program Files (x86)\PSHope\PSHope.exe	d728245cb26b2042faed87b3aca567b4.exe
File created	C:\Program Files (x86)\PSHope\Uninstall.exe	d728245cb26b2042faed87b3aca567b4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3068	d728245cb26b2042faed87b3aca567b4.exe
Token: SeBackupPrivilege	3068	d728245cb26b2042faed87b3aca567b4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2100	PSHope.exe
2100	PSHope.exe
2100	PSHope.exe
2100	PSHope.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28
PID 3068 wrote to memory of 2100	3068	d728245cb26b2042faed87b3aca567b4.exe	28

C:\Users\Admin\AppData\Local\Temp\d728245cb26b2042faed87b3aca567b4.exe
"C:\Users\Admin\AppData\Local\Temp\d728245cb26b2042faed87b3aca567b4.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\PSHope\PSHope.exe
  "C:\Program Files (x86)\PSHope\PSHope.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\PSHope\PSHope.exe

Filesize
304KB

MD5
c1d96f8c05c9b5747a63402ac392a078

SHA1
b3fbddc8a8ac243f1172d128ee0c99ef8dfeee34

SHA256
073e4ebad311148fe601056caee94addcd5cfc393ff4d9aaa92e3887f7e6b183

SHA512
6013f064510878047539b6d7083de72d98a3dfff739200dcc050ced0060cc1e90bfae5282d9ed58b3b937a9f3e7c04605c9aecad252f5c1b3d729b44d12ebd75

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads