Analysis
-
max time kernel
120s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 21:29
Static task
static1
Behavioral task
behavioral1
Sample
d728245cb26b2042faed87b3aca567b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d728245cb26b2042faed87b3aca567b4.exe
Resource
win10v2004-20240226-en
General
-
Target
d728245cb26b2042faed87b3aca567b4.exe
-
Size
180KB
-
MD5
d728245cb26b2042faed87b3aca567b4
-
SHA1
4d27bfa33015872590b0359cf0a4116dda2a4da6
-
SHA256
7de0b0c73a1ac68d139fcbf86a273063b492aee06c5413afc1daaf4766fbe607
-
SHA512
92bfbd7751378c5add6a37df12427e0876d0ab55e66e5842784836d2850e95399b8ef946845e62f14c75660bf1fb78637ccf1ded4137f49c1bdbb089e7a1de8b
-
SSDEEP
3072:GD4iRFGP+tbL8JsE8La7A+cga0ZjDY4Ryprng0bkyRz9kizAT5E4mQgH/1qN7Nnu:Ibns8L+A+na0ZjDLAg+HD/AdyhG5u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 488 PSHope.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PSHope = "\"C:\\Program Files (x86)\\PSHope\\PSHope.exe\"" d728245cb26b2042faed87b3aca567b4.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\PSHope\PSHope.exe d728245cb26b2042faed87b3aca567b4.exe File created C:\Program Files (x86)\PSHope\Uninstall.exe d728245cb26b2042faed87b3aca567b4.exe File opened for modification C:\Program Files (x86)\PSHope\PSHope.exe d728245cb26b2042faed87b3aca567b4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 488 PSHope.exe 488 PSHope.exe 488 PSHope.exe 488 PSHope.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1744 wrote to memory of 488 1744 d728245cb26b2042faed87b3aca567b4.exe 95 PID 1744 wrote to memory of 488 1744 d728245cb26b2042faed87b3aca567b4.exe 95 PID 1744 wrote to memory of 488 1744 d728245cb26b2042faed87b3aca567b4.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d728245cb26b2042faed87b3aca567b4.exe"C:\Users\Admin\AppData\Local\Temp\d728245cb26b2042faed87b3aca567b4.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Program Files (x86)\PSHope\PSHope.exe"C:\Program Files (x86)\PSHope\PSHope.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1792 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:81⤵PID:1396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
304KB
MD5c1d96f8c05c9b5747a63402ac392a078
SHA1b3fbddc8a8ac243f1172d128ee0c99ef8dfeee34
SHA256073e4ebad311148fe601056caee94addcd5cfc393ff4d9aaa92e3887f7e6b183
SHA5126013f064510878047539b6d7083de72d98a3dfff739200dcc050ced0060cc1e90bfae5282d9ed58b3b937a9f3e7c04605c9aecad252f5c1b3d729b44d12ebd75