Overview
overview
10Static
static
107_zip_installer.exe
windows7-x64
8CHOCORAT.exe
windows7-x64
10ChrisMessage.exe
windows7-x64
1Free Porn.exe
windows7-x64
1Gay Porn Mailer.exe
windows7-x64
1GottaWork.exe
windows7-x64
PleaseWork.exe
windows7-x64
THING.exe
windows7-x64
7Technoturn...AT.exe
windows7-x64
1Verified by Visa.exe
windows7-x64
10abwsx1.exe
windows7-x64
7eee.exe
windows7-x64
1hypno.exe
windows7-x64
8mbam-setup...00.exe
windows7-x64
8molesto.exe
windows7-x64
1runme.exe
windows7-x64
7setup.exe
windows7-x64
3sevgi.exe
windows7-x64
6shrek.exe
windows7-x64
8upnp.exe
windows7-x64
7virus.exe
windows7-x64
10vmdestroyer.exe
windows7-x64
7Analysis
-
max time kernel
299s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:59
Behavioral task
behavioral1
Sample
7_zip_installer.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral2
Sample
CHOCORAT.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral3
Sample
ChrisMessage.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral4
Sample
Free Porn.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral5
Sample
Gay Porn Mailer.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral6
Sample
GottaWork.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral7
Sample
PleaseWork.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral8
Sample
THING.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral9
Sample
Technoturnover's RAT.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
Verified by Visa.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral11
Sample
abwsx1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
eee.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral13
Sample
hypno.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
mbam-setup-1.75.0.1300.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral15
Sample
molesto.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
runme.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral17
Sample
setup.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral18
Sample
sevgi.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral19
Sample
shrek.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
upnp.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral21
Sample
virus.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
vmdestroyer.exe
Resource
win7-20240220-en
windows7-x64
General
-
Target
hypno.exe
-
Size
867KB
-
MD5
d5b1d3d2b7a94a95ae09f5e25e3fdc28
-
SHA1
9c6aed952277f1b0d5b8a95233326988442f2ed9
-
SHA256
9a1cba95c631ba10afe33167928ccdaf2f8cde644d79212d36e63a815d711c8a
-
SHA512
0a282ed2b893569233f72d93f78168749959df577bb84e326ce3596a87ba25a6107b8c39070699628c7a403a3094daa573d27e9b5dd540db095640b84940dccf
-
SSDEEP
12288:DMYB9oY6c8IJpFL4KDESOsm0cVIgCJD1rTL:DMYzQczN4KDESPm0gIXDJTL
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2428 mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 2904 vmfreeze.exe -
Loads dropped DLL 3 IoCs
pid Process 2304 hypno.exe 2904 vmfreeze.exe 2904 vmfreeze.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral13/files/0x0006000000015d70-8.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2676 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2676 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe 2904 vmfreeze.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2904 vmfreeze.exe 2904 vmfreeze.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 2428 2304 hypno.exe 28 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 1968 2304 hypno.exe 29 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 2304 wrote to memory of 2904 2304 hypno.exe 30 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31 PID 1968 wrote to memory of 2676 1968 WScript.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\hypno.exe"C:\Users\Admin\AppData\Local\Temp\hypno.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\eee.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:2428
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\vmfreeze.exe"C:\Users\Admin\AppData\Local\Temp\vmfreeze.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639B
MD537f082625c16ac358ae7080d8c9c89bb
SHA1204b768d48ca4edfcf206f06b1b282747dbc8291
SHA25630c714391889aca0a9406bccd5965c1b1dbeb0e3984a52f5a47b1495ef0e727a
SHA512210479430c1fcaeb9b4d0e56f74b8413817984f94c2d8dbf808d7cba8bdde07d77dd4bca99232a6f695d4ca282445ee41ae3745c68cba003bfed765b3d565129
-
Filesize
110B
MD5440a37dc2d1674bf7a62ec24a502d77d
SHA1b486f7d85113d4d13b4c3e62ee3a6e81bcdc515d
SHA2561d77aadf3d56d11b5437579bf7fd25166d00a95a123419ae8b10daf156dc4ca6
SHA5129bba57886afb207a6d6ae8a31a789d5499c905e94815018b6efd8e12eb2f7691534fc637513f638d0dff6560aa2007d056268d9484fdf8e0954a3e1b2719f652
-
Filesize
1.1MB
MD526d5dbfe207187a6454377851137da82
SHA137e3a793c374f2c0ccb5a2fc5c4abf71adcc0845
SHA256669babc694e34715b556a6bd09f025c8254039a659cb8a501b6ec587e07c80d9
SHA512e168cb47c2b7ddf59c60095ae99807eb3d7a095686e1d980b6169b55ec668a02f29967f4b627e2aa16b37c19666a46744b67131016c423417e50ea3b730dbc16