Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 01:39

General

  • Target

    b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe

  • Size

    72KB

  • MD5

    22131c8f5aa2359437f1d2ff46e1b77f

  • SHA1

    387fe8d9cce803ab25b9f900c39f0e4bb6045143

  • SHA256

    b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d

  • SHA512

    df1cfb1ecb87b1e6aef45ae61ed2aac4cd943af423d507e4393acf6701f25dfabffb6b9f4cfa30943e06786bec29a481394db432e229ad6cd4ee344673cecac1

  • SSDEEP

    1536:0oNJ5Vi85oWPAf23geJ4T/gm+YSPgUN3QivEtA:06iG5oVeJ4ThSPgU5QJA

Score
10/10

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 24 IoCs
  • Drops file in System32 directory 30 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe
    "C:\Users\Admin\AppData\Local\Temp\b5df680f8cbbcdb69345e94a932ea140715233d220c7e2141ec411252eb7192d.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\Hcifgjgc.exe
      C:\Windows\system32\Hcifgjgc.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\Hdhbam32.exe
        C:\Windows\system32\Hdhbam32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Windows\SysWOW64\Hnagjbdf.exe
          C:\Windows\system32\Hnagjbdf.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\Hpocfncj.exe
            C:\Windows\system32\Hpocfncj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2560
            • C:\Windows\SysWOW64\Hjhhocjj.exe
              C:\Windows\system32\Hjhhocjj.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2688
              • C:\Windows\SysWOW64\Hlfdkoin.exe
                C:\Windows\system32\Hlfdkoin.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\SysWOW64\Henidd32.exe
                  C:\Windows\system32\Henidd32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1920
                  • C:\Windows\SysWOW64\Hhmepp32.exe
                    C:\Windows\system32\Hhmepp32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2796
                    • C:\Windows\SysWOW64\Iaeiieeb.exe
                      C:\Windows\system32\Iaeiieeb.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2628
                      • C:\Windows\SysWOW64\Iagfoe32.exe
                        C:\Windows\system32\Iagfoe32.exe
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:320
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 140
                          12⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:2604

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Hhmepp32.exe

          Filesize

          72KB

          MD5

          491b86b554058a17ccc64ba52781f5e5

          SHA1

          57f31b36760e585828369ccba17aaf04f85d901b

          SHA256

          a1bb41e82694046f48e57293b320b1f42513ba9619cc44126568624c39a70be1

          SHA512

          1537951c68c4eef73bf036b14e45254aed39cc4f239f7a77d01e2b90f69c58a8ed33b2e546a0cea491a804cbb7710ac6613ac1b56f9b1b3facd456a31852170d

        • C:\Windows\SysWOW64\Iaeiieeb.exe

          Filesize

          72KB

          MD5

          60e3ebcd6fb63702844d80fc6e15309d

          SHA1

          b30d0c79ecdbf2ee7d1599dce6c1887061709b77

          SHA256

          14fdb1a116d653165893ccafba9ecab31089a8a1cab2ef2d73c7ed2ee500d330

          SHA512

          2335751ea041711ebf33d58b2e306ccdbf79ee5916662d050a2a197354cd5cac6868afd3286ecf3db1a93e360e2cc0ffe90288ea724ca976084dcb95777b1172

        • C:\Windows\SysWOW64\Iagfoe32.exe

          Filesize

          72KB

          MD5

          51dde2e64588784ec42312b6c01f6ad9

          SHA1

          40815c71829ca09793baa884f72d01bd81786ce1

          SHA256

          82e032528b1a02c1d6d0a0d2cc068d0b3100a7d6353e2673719212905a0f5f62

          SHA512

          6d74c56948160c912f58d573f4b9edefd4b006c6d343d7017f16b739039463ab0eeb1ab4a3f5dffc6893145f45edebea4b62404260be57da559288358b0636ea

        • \Windows\SysWOW64\Hcifgjgc.exe

          Filesize

          72KB

          MD5

          26d1b000948765a8ab8dad62adfa680d

          SHA1

          0dd5a29742d3bd222a3d76b433ecb25570a7e4e4

          SHA256

          38963e1136c979025075863ca62fb16917db8c0b5ee3b4caae85d90e5cbde565

          SHA512

          7628227133fcc346b9efbe8cb5ff013bea6a08a50f2110c1b7ab7b2886fdc31d30a63201dcc7c7f2238a52718241c8c4e521ae4f01d1457357c29b3ef6aee2f6

        • \Windows\SysWOW64\Hdhbam32.exe

          Filesize

          72KB

          MD5

          b799c3886f3319337669dedbb5c08528

          SHA1

          546e8b15c0b754c87f06e0d1293b3c475f55296b

          SHA256

          a280cefd0c677327af1fd31c7704d8ae912625a41b3383d9a9f67d9fbb7baba2

          SHA512

          c4af0890bb59d102e65357cbf5bdeacfb436602a76d595bab984512561bd868012d67de99b704b89496a66306018c1c10e236d1ed38289591419b22b6e6ed232

        • \Windows\SysWOW64\Henidd32.exe

          Filesize

          72KB

          MD5

          e497eab10e5ef8adf7c9da127959d8fa

          SHA1

          6c0772c5556a5dce86cfeb98ecdbb402a0cf2ae0

          SHA256

          1f72a7eff202843ff36fa051124cc23d565b4dbe914cf33e9e4131fe6b958f81

          SHA512

          da9af60ab56b54467357391c48b6b37ad7b4ef96758bb3ce7e5372d2eec0dd84c0ea8649d43b4ec05aaf77752e144ffcd754aeab629da1d1eb991f3c204ac1d6

        • \Windows\SysWOW64\Hjhhocjj.exe

          Filesize

          72KB

          MD5

          46151dd064cd6b0b11f17c061f706a59

          SHA1

          cba74916b316ad20c1c920e1885d800270359874

          SHA256

          b34bd7b26b8825c05fc90abde3b766ba1066ffec48c6a7509e95eca61ddd82aa

          SHA512

          bc1316244467f40f1d95d27d0abf44e42ae6f8d44765862d98ab19f58ecef468338351266c9b9d322334a9c22398a2bc327d033820303648262c5d25edc3c6b3

        • \Windows\SysWOW64\Hlfdkoin.exe

          Filesize

          72KB

          MD5

          44058acdd599e14517052c863e3c61eb

          SHA1

          2ac43adf1a75cce10f7a0eabe9c9a9a834bf3e20

          SHA256

          b6e9747b66ab9115fc1f37b47dc9d47ec536a19b0f4bd1842654189317a3fe82

          SHA512

          5bbbdd660edb48b4d05d8eaba49d7a2b173f386dd547dfb5eb3385a1e3ba3c3d0858450645426a2bf0d96bd788af66a34854a76d102bfe4aeef87721b2b7210b

        • \Windows\SysWOW64\Hnagjbdf.exe

          Filesize

          72KB

          MD5

          8ea3fca9c6f4a9684074e92eac29d444

          SHA1

          176cc9c55e3d1012d7cbf826107cf416ca1d212f

          SHA256

          de5f60ddc1d0cd8014fe6e8751a197c10d6bc83303d1f1a5b1271b1c1109e94f

          SHA512

          a542cb3eaa3969fec303849a1f8ab644a23f453c0eca930eab6bd1bcb937bf0aa5a49ba5aca0df9c7ba9d6eb2758d13d0cfae4cefaba8feed5aec359eb661901

        • \Windows\SysWOW64\Hpocfncj.exe

          Filesize

          72KB

          MD5

          912c568f311d5bbf458dbb221e6a52a3

          SHA1

          f17585ae452ec820df26390ba2c50f7da50f8ec4

          SHA256

          eaa4804eb459c233523caf087a682246051fbf05df075d4c3dc3187353dfa492

          SHA512

          84f7c2a72535bf66e255b1e4ac735697c0115ab9e2b8a5b04342eefb5b728b57e2636ebb3c5b9414ec3900808daaebc02c69cc846e63e0e01810beb7b5c57f81

        • memory/320-140-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1520-145-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1520-80-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1920-116-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/1920-146-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1920-147-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/1920-148-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/1920-94-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1920-114-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/2192-13-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/2192-0-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2192-88-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2192-6-0x0000000000250000-0x000000000028C000-memory.dmp

          Filesize

          240KB

        • memory/2216-95-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2216-14-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2544-108-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2544-27-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2556-44-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2556-109-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2560-124-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2560-53-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2628-126-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2628-149-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2688-66-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2688-139-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2688-74-0x00000000002D0000-0x000000000030C000-memory.dmp

          Filesize

          240KB

        • memory/2796-118-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB