Overview
overview
10Static
static
1Data2.zip
windows7-x64
1Data2.zip
windows10-2004-x64
1hv.exe
windows7-x64
5hv.exe
windows10-2004-x64
10iepdf32.dll
windows7-x64
3iepdf32.dll
windows10-2004-x64
3rhombohedron.ai
windows7-x64
3rhombohedron.ai
windows10-2004-x64
3shovelnose.deb
windows7-x64
3shovelnose.deb
windows10-2004-x64
3Analysis
-
max time kernel
93s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
Data2.zip
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Data2.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
hv.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
hv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
iepdf32.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
iepdf32.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
rhombohedron.ai
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
rhombohedron.ai
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
shovelnose.deb
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
shovelnose.deb
Resource
win10v2004-20240508-en
General
-
Target
hv.exe
-
Size
8.7MB
-
MD5
480f8cf600f5509595b8418c6534caf2
-
SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e
-
SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
-
SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
SSDEEP
196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
Malware Config
Extracted
lumma
https://secretiveonnicuw.shop/api
https://liabiliytshareodlkv.shop/api
https://notoriousdcellkw.shop/api
https://conferencefreckewl.shop/api
https://flourhishdiscovrw.shop/api
https://landdumpycolorwskfw.shop/api
https://ohfantasyproclaiwlo.shop/api
https://parallelmercywksoffw.shop/api
https://barebrilliancedkoso.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
hv.exedescription pid process target process PID 4648 set thread context of 1008 4648 hv.exe netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
hv.exepid process 4648 hv.exe -
Loads dropped DLL 2 IoCs
Processes:
hv.exe0x21.pifpid process 4648 hv.exe 4936 0x21.pif -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
hv.exehv.exenetsh.exepid process 1848 hv.exe 4648 hv.exe 4648 hv.exe 1008 netsh.exe 1008 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
hv.exenetsh.exepid process 4648 hv.exe 1008 netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hv.exehv.exepid process 1848 hv.exe 4648 hv.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
hv.exehv.exenetsh.exedescription pid process target process PID 1848 wrote to memory of 4648 1848 hv.exe hv.exe PID 1848 wrote to memory of 4648 1848 hv.exe hv.exe PID 1848 wrote to memory of 4648 1848 hv.exe hv.exe PID 4648 wrote to memory of 1008 4648 hv.exe netsh.exe PID 4648 wrote to memory of 1008 4648 hv.exe netsh.exe PID 4648 wrote to memory of 1008 4648 hv.exe netsh.exe PID 4648 wrote to memory of 1008 4648 hv.exe netsh.exe PID 1008 wrote to memory of 4936 1008 netsh.exe 0x21.pif PID 1008 wrote to memory of 4936 1008 netsh.exe 0x21.pif PID 1008 wrote to memory of 4936 1008 netsh.exe 0x21.pif PID 1008 wrote to memory of 4936 1008 netsh.exe 0x21.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\hv.exe"C:\Users\Admin\AppData\Local\Temp\hv.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exeC:\Users\Admin\AppData\Roaming\BqDaemon\hv.exe2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\0x21.pifC:\Users\Admin\AppData\Local\Temp\0x21.pif4⤵
- Loads dropped DLL
PID:4936
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0x21.pifFilesize
76KB
MD5f43c6b629baaaaee1e7fe095a8821631
SHA1f0e4b84bb1fa6ba985e281f3afc9642afca168b5
SHA2564196f6776110e75a9670fb5843f373e90e88c0826ead45a30e9578221ff44ae3
SHA5122b475850705fa37dd0c1b093d31ccce48ffdbcc614215ffb304070b4f31e16ca651d4569af39b36482c848751f1e31b7fd647bd23245718a0a1e877a6417878a
-
C:\Users\Admin\AppData\Local\Temp\91cb97c8Filesize
1.1MB
MD58f8faabb79f1a87a338b4990feaa2ec5
SHA11a651f454aeaeb46be6a565741cba92a2ebb8abf
SHA256438ddb313629c712c09bcfd6d88b8d82e8789e7badbc1dbbb7eaa4e37f7cfbb8
SHA512f30311915b7f263601f06d29cf8f5a66ebde5f2f572787619d549b218f412baa92f017a7f04083a582cef695e90194332e181e945d519963715e98e86f85fbd5
-
C:\Users\Admin\AppData\Roaming\BqDaemon\hv.exeFilesize
8.7MB
MD5480f8cf600f5509595b8418c6534caf2
SHA1dc13258ebb83bdf956523d751f67e29d6e4cf77e
SHA2566d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
SHA512f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
C:\Users\Admin\AppData\Roaming\BqDaemon\iepdf32.dllFilesize
4.3MB
MD5f3f6876d132eb277842e31ddc42aa7fa
SHA19c167a2854ed106b74dff55a30bdefc55b140e9a
SHA2564ba2ddde8a4549d08bfe4441643aa626e84d7653b8ddc6ed61823e78aeb3cdf1
SHA51238b86c745945b0f97461542f89b2570210ddc3fcfeabfe2243a3b861dd80be6641e4b4181956d73926b7926d7c460db8a908ccb912c5209003ee24427aa135f9
-
C:\Users\Admin\AppData\Roaming\BqDaemon\rhombohedron.aiFilesize
59KB
MD5674dfd74a1bef081bf0da83f893138e5
SHA12a254cc02fea4c55bbc3133b99a9e2fd03082ae7
SHA25667ff95298e395543ea0c9eeec6bfff81688df379bec578aa31c52d214b385180
SHA5120b2bfbe287a037d46d881a00638a3c272197cf3537bc74169c07c7721cda2bf94927268bfd6cb965ad56e1ac98e3466d809cbc67f2e4d971dd0d7da9568a4cce
-
C:\Users\Admin\AppData\Roaming\BqDaemon\shovelnose.debFilesize
827KB
MD590b47672d8134f8cc464d83a5cde8d34
SHA169567e6a2dd5569b8cd2876a275f5d9a2ad8743f
SHA256cc38b5cb522fdf8d2fe5e85c50d72e1b8ac39d36deb157d4bffdda7970c5ba8b
SHA5127dbeb8d4a5674c088fa904a9fdcddf9cb84d41b2d2c887ba38cfcdd1ac30cf4cd8ae28bc33fc3ee51139e78645f7fb580dfaf57e939c4e144b79d507a1d1d90b
-
memory/1008-35-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/1008-25-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/1008-23-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmpFilesize
2.0MB
-
memory/1848-9-0x0000000000C80000-0x0000000001556000-memory.dmpFilesize
8.8MB
-
memory/1848-0-0x0000000003340000-0x0000000003341000-memory.dmpFilesize
4KB
-
memory/1848-2-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmpFilesize
2.0MB
-
memory/1848-1-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/4648-10-0x0000000000FE0000-0x0000000000FE1000-memory.dmpFilesize
4KB
-
memory/4648-21-0x0000000000020000-0x00000000008F6000-memory.dmpFilesize
8.8MB
-
memory/4648-19-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/4648-17-0x0000000075852000-0x0000000075854000-memory.dmpFilesize
8KB
-
memory/4648-18-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/4648-16-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmpFilesize
2.0MB
-
memory/4648-15-0x0000000075840000-0x00000000758A3000-memory.dmpFilesize
396KB
-
memory/4936-29-0x00007FFEF87D0000-0x00007FFEF89C5000-memory.dmpFilesize
2.0MB
-
memory/4936-30-0x0000000000980000-0x00000000009D8000-memory.dmpFilesize
352KB
-
memory/4936-33-0x0000000000980000-0x00000000009D8000-memory.dmpFilesize
352KB