c8a496dcf94d5d246dec0747f139957709b63412f48d9a1591ca5e771a988636

Analysis

max time kernel
299s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hypno.exe
Size

867KB
MD5

d5b1d3d2b7a94a95ae09f5e25e3fdc28
SHA1

9c6aed952277f1b0d5b8a95233326988442f2ed9
SHA256

9a1cba95c631ba10afe33167928ccdaf2f8cde644d79212d36e63a815d711c8a
SHA512

0a282ed2b893569233f72d93f78168749959df577bb84e326ce3596a87ba25a6107b8c39070699628c7a403a3094daa573d27e9b5dd540db095640b84940dccf
SSDEEP

12288:DMYB9oY6c8IJpFL4KDESOsm0cVIgCJD1rTL:DMYzQczN4KDESPm0gIXDJTL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

4 2428 mshta.exe
Executes dropped EXE 1 IoCs

Processes:

vmfreeze.exe

pid process

2904 vmfreeze.exe
Loads dropped DLL 3 IoCs

Processes:

hypno.exevmfreeze.exe

pid process

2304 hypno.exe
2904 vmfreeze.exe
2904 vmfreeze.exe

flow	pid	process
4	2428	mshta.exe

pid	process
2304	hypno.exe
2904	vmfreeze.exe
2904	vmfreeze.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vmfreeze.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2676 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2676 taskkill.exe

pid	process
2676	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

description	pid	process
Token: SeDebugPrivilege	2676	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

vmfreeze.exe

pid	process
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe
2904	vmfreeze.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

vmfreeze.exe

pid process

2904 vmfreeze.exe
2904 vmfreeze.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

hypno.exeWScript.exe

description	pid	process	target process
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 2428	2304	hypno.exe	mshta.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 1968	2304	hypno.exe	WScript.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 2304 wrote to memory of 2904	2304	hypno.exe	vmfreeze.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe
PID 1968 wrote to memory of 2676	1968	WScript.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\hypno.exe
"C:\Users\Admin\AppData\Local\Temp\hypno.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\eee.hta"
2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eee.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Users\Admin\AppData\Local\Temp\vmfreeze.exe
"C:\Users\Admin\AppData\Local\Temp\vmfreeze.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eee.hta
Filesize
639B

MD5
37f082625c16ac358ae7080d8c9c89bb

SHA1
204b768d48ca4edfcf206f06b1b282747dbc8291

SHA256
30c714391889aca0a9406bccd5965c1b1dbeb0e3984a52f5a47b1495ef0e727a

SHA512
210479430c1fcaeb9b4d0e56f74b8413817984f94c2d8dbf808d7cba8bdde07d77dd4bca99232a6f695d4ca282445ee41ae3745c68cba003bfed765b3d565129

Download Submit
C:\Users\Admin\AppData\Local\Temp\eee.vbs
Filesize
110B

MD5
440a37dc2d1674bf7a62ec24a502d77d

SHA1
b486f7d85113d4d13b4c3e62ee3a6e81bcdc515d

SHA256
1d77aadf3d56d11b5437579bf7fd25166d00a95a123419ae8b10daf156dc4ca6

SHA512
9bba57886afb207a6d6ae8a31a789d5499c905e94815018b6efd8e12eb2f7691534fc637513f638d0dff6560aa2007d056268d9484fdf8e0954a3e1b2719f652

Download Submit
\Users\Admin\AppData\Local\Temp\vmfreeze.exe
Filesize
1.1MB

MD5
26d5dbfe207187a6454377851137da82

SHA1
37e3a793c374f2c0ccb5a2fc5c4abf71adcc0845

SHA256
669babc694e34715b556a6bd09f025c8254039a659cb8a501b6ec587e07c80d9

SHA512
e168cb47c2b7ddf59c60095ae99807eb3d7a095686e1d980b6169b55ec668a02f29967f4b627e2aa16b37c19666a46744b67131016c423417e50ea3b730dbc16

Download Submit