Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 18:22
Static task
static1
Behavioral task
behavioral1
Sample
hv.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
hv.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
iepdf32.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
iepdf32.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
shovelnose.deb
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
shovelnose.deb
Resource
win10v2004-20240426-en
General
-
Target
hv.exe
-
Size
8.7MB
-
MD5
480f8cf600f5509595b8418c6534caf2
-
SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e
-
SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
-
SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
SSDEEP
196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
Malware Config
Extracted
lumma
https://secretiveonnicuw.shop/api
https://liabiliytshareodlkv.shop/api
https://notoriousdcellkw.shop/api
https://conferencefreckewl.shop/api
https://flourhishdiscovrw.shop/api
https://landdumpycolorwskfw.shop/api
https://ohfantasyproclaiwlo.shop/api
https://parallelmercywksoffw.shop/api
https://barebrilliancedkoso.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
hv.exedescription pid process target process PID 4672 set thread context of 2808 4672 hv.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
hv.exepid process 4672 hv.exe -
Loads dropped DLL 2 IoCs
Processes:
hv.exe0x21.pifpid process 4672 hv.exe 4220 0x21.pif -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
hv.exehv.exenetsh.exepid process 2916 hv.exe 4672 hv.exe 4672 hv.exe 2808 netsh.exe 2808 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
hv.exenetsh.exepid process 4672 hv.exe 2808 netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hv.exehv.exepid process 2916 hv.exe 4672 hv.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
hv.exehv.exenetsh.exedescription pid process target process PID 2916 wrote to memory of 4672 2916 hv.exe hv.exe PID 2916 wrote to memory of 4672 2916 hv.exe hv.exe PID 2916 wrote to memory of 4672 2916 hv.exe hv.exe PID 4672 wrote to memory of 2808 4672 hv.exe netsh.exe PID 4672 wrote to memory of 2808 4672 hv.exe netsh.exe PID 4672 wrote to memory of 2808 4672 hv.exe netsh.exe PID 4672 wrote to memory of 2808 4672 hv.exe netsh.exe PID 2808 wrote to memory of 4220 2808 netsh.exe 0x21.pif PID 2808 wrote to memory of 4220 2808 netsh.exe 0x21.pif PID 2808 wrote to memory of 4220 2808 netsh.exe 0x21.pif PID 2808 wrote to memory of 4220 2808 netsh.exe 0x21.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\hv.exe"C:\Users\Admin\AppData\Local\Temp\hv.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exeC:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\0x21.pifC:\Users\Admin\AppData\Local\Temp\0x21.pif4⤵
- Loads dropped DLL
PID:4220
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0x21.pifFilesize
76KB
MD5f43c6b629baaaaee1e7fe095a8821631
SHA1f0e4b84bb1fa6ba985e281f3afc9642afca168b5
SHA2564196f6776110e75a9670fb5843f373e90e88c0826ead45a30e9578221ff44ae3
SHA5122b475850705fa37dd0c1b093d31ccce48ffdbcc614215ffb304070b4f31e16ca651d4569af39b36482c848751f1e31b7fd647bd23245718a0a1e877a6417878a
-
C:\Users\Admin\AppData\Local\Temp\ef84d02aFilesize
1.1MB
MD5419da0a7c9486f43e58fbfd60021224b
SHA12a8220eeaa2e716c76876237f087d3f436cbd852
SHA256ebc9bddbae62cff63e14293e80dd27af3bc701d2042a332566383e6ab89b5932
SHA512620947ba1a73ea96af904d45b13911919244dd28c0dfc1af347fb860856970fbf7c2384518f48899337dc8b9f5adc63368af40417ee2d6ddd4ce17a2a3916f76
-
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exeFilesize
8.7MB
MD5480f8cf600f5509595b8418c6534caf2
SHA1dc13258ebb83bdf956523d751f67e29d6e4cf77e
SHA2566d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
SHA512f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
C:\Users\Admin\AppData\Roaming\BqDaemon\iepdf32.dllFilesize
4.3MB
MD5f3f6876d132eb277842e31ddc42aa7fa
SHA19c167a2854ed106b74dff55a30bdefc55b140e9a
SHA2564ba2ddde8a4549d08bfe4441643aa626e84d7653b8ddc6ed61823e78aeb3cdf1
SHA51238b86c745945b0f97461542f89b2570210ddc3fcfeabfe2243a3b861dd80be6641e4b4181956d73926b7926d7c460db8a908ccb912c5209003ee24427aa135f9
-
C:\Users\Admin\AppData\Roaming\BqDaemon\rhombohedron.aiFilesize
59KB
MD5674dfd74a1bef081bf0da83f893138e5
SHA12a254cc02fea4c55bbc3133b99a9e2fd03082ae7
SHA25667ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180
SHA5120b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce
-
C:\Users\Admin\AppData\Roaming\BqDaemon\shovelnose.debFilesize
827KB
MD590b47672d8134f8cc464d83a5cde8d34
SHA169567e6a2dd5569b8cd2876a275f5d9a2ad8743f
SHA256cc38b5cb522fdf8d2fe5e85c50d72e1b8ac39d36deb157d4bffdda7970c5ba8b
SHA5127dbeb8d4a5674c088fa904a9fdcddf9cb84d41b2d2c887ba38cfcdd1ac30cf4cd8ae28bc33fc3ee51139e78645f7fb580dfaf57e939c4e144b79d507a1d1d90b
-
memory/2808-35-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB
-
memory/2808-26-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB
-
memory/2808-23-0x00007FFA0EC90000-0x00007FFA0EE85000-memory.dmpFilesize
2.0MB
-
memory/2916-9-0x0000000000AE0000-0x00000000013B6000-memory.dmpFilesize
8.8MB
-
memory/2916-0-0x0000000003A00000-0x0000000003A01000-memory.dmpFilesize
4KB
-
memory/2916-2-0x00007FFA0EC90000-0x00007FFA0EE85000-memory.dmpFilesize
2.0MB
-
memory/2916-1-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB
-
memory/4220-33-0x0000000000D70000-0x0000000000DC8000-memory.dmpFilesize
352KB
-
memory/4220-30-0x0000000000D70000-0x0000000000DC8000-memory.dmpFilesize
352KB
-
memory/4220-29-0x00007FFA0EC90000-0x00007FFA0EE85000-memory.dmpFilesize
2.0MB
-
memory/4672-10-0x00000000018B0000-0x00000000018B1000-memory.dmpFilesize
4KB
-
memory/4672-21-0x00000000004B0000-0x0000000000D86000-memory.dmpFilesize
8.8MB
-
memory/4672-19-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB
-
memory/4672-18-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB
-
memory/4672-17-0x0000000076982000-0x0000000076984000-memory.dmpFilesize
8KB
-
memory/4672-16-0x00007FFA0EC90000-0x00007FFA0EE85000-memory.dmpFilesize
2.0MB
-
memory/4672-15-0x0000000076970000-0x00000000769D3000-memory.dmpFilesize
396KB