00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe
Size

66KB
MD5

7f806bf9f0fb536f63aed0497819199c
SHA1

02c95f576bcebe91a6f5bb1229a033eecd4fc53f
SHA256

00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67
SHA512

910b9c40dc3978f5bf5e35f32cb0ef53322667822e3c8e61445d566cdbc17aaf5913d02735dc6b88edc83bb54bff0bd970a15522fe87bb3e3b7d3d8b8073349e
SSDEEP

1536:mUL/o7EjR2I0WtdgI2MyzNORQtOflIwoHNV2XBFV72BOlA7ZsryrEgxSj:mq/5jMIPtdgI2MyzNORQtOflIwoHNV2H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2860	ghyte.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe
2860	ghyte.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2860	2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe	28
PID 2924 wrote to memory of 2860	2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe	28
PID 2924 wrote to memory of 2860	2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe	28
PID 2924 wrote to memory of 2860	2924	00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe	28

C:\Users\Admin\AppData\Local\Temp\00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe
"C:\Users\Admin\AppData\Local\Temp\00778aea6b9734fe33df6d55a97cd93c69841865cc8afd573ca7f2c1b47e1d67.exe"
1⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\ghyte.exe
  "C:\Users\Admin\AppData\Local\Temp\ghyte.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ghyte.exe

Filesize
67KB

MD5
b7b976b8ab453c7ba739f1b32994e533

SHA1
6263179264aeca037ccf16b364c0386e3a857773

SHA256
673d82d2eb73fbf244e823b5f9176378536f52c16a69a1b2239006fde3d9c86d

SHA512
f4b94335a7f7520b5ead86b802e56e912593002c01a37a71dad377d0348c792a2461bf7e7a78a1563819c31a953707b94eb7ec16a486bd62e3ce779c52d22854

Download Submit
memory/2860-23-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2924-0-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/2924-1-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2924-8-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download