Overview
overview
10Static
static
3EKTEDIR.exe
windows7-x64
10EKTEDIR.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Hylozoism/...37.gen
windows7-x64
3Hylozoism/...37.gen
windows10-2004-x64
3Hylozoism/...et.rav
windows7-x64
3Hylozoism/...et.rav
windows10-2004-x64
3Hylozoism/...16.vre
windows7-x64
3Hylozoism/...16.vre
windows10-2004-x64
3Hylozoism/Unfrail.nay
windows7-x64
3Hylozoism/Unfrail.nay
windows10-2004-x64
3Hylozoism/...rs.stj
windows7-x64
3Hylozoism/...rs.stj
windows10-2004-x64
3Hylozoism/...ly.txt
windows7-x64
1Hylozoism/...ly.txt
windows10-2004-x64
1Hylozoism/smudses.yde
windows7-x64
3Hylozoism/smudses.yde
windows10-2004-x64
3Occluding225.ten
windows7-x64
3Occluding225.ten
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
EKTEDIR.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
EKTEDIR.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
Hylozoism/Forbundsformndene237.gen
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Hylozoism/Forbundsformndene237.gen
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
Hylozoism/Haardhudet.rav
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
Hylozoism/Haardhudet.rav
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
Hylozoism/Herbiest116.vre
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Hylozoism/Herbiest116.vre
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
Hylozoism/Unfrail.nay
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
Hylozoism/Unfrail.nay
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
Hylozoism/afrettelsers.stj
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Hylozoism/afrettelsers.stj
Resource
win10v2004-20240708-en
Behavioral task
behavioral17
Sample
Hylozoism/figurally.txt
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Hylozoism/figurally.txt
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
Hylozoism/smudses.yde
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
Hylozoism/smudses.yde
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
Occluding225.ten
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Occluding225.ten
Resource
win10v2004-20240704-en
General
-
Target
Hylozoism/Herbiest116.vre
-
Size
502KB
-
MD5
62de12ed6ed6ff40a198d8b60827cceb
-
SHA1
fdc628000b2c284c8ec7dd07a125060deb714813
-
SHA256
53512f1c52eaf92a898fb36109dae0a9d213756a883e05b2f0fcf116eef6b60e
-
SHA512
3941aeb05dabca894676c6701827f5e93eb262cf39086a445f9de4e26ad84727f5ada7054d35cc3b5b196ca7785c4e928e2328a064198eccd47841fb16364909
-
SSDEEP
768:Sx+0VL5OUfjWsP4iWQPZ1VJ0FVBBHvr/L2UJVQIH:SMRB
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.vre\ = "vre_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.vre rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\vre_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2784 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2784 AcroRd32.exe 2784 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1484 wrote to memory of 2760 1484 cmd.exe rundll32.exe PID 1484 wrote to memory of 2760 1484 cmd.exe rundll32.exe PID 1484 wrote to memory of 2760 1484 cmd.exe rundll32.exe PID 2760 wrote to memory of 2784 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2784 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2784 2760 rundll32.exe AcroRd32.exe PID 2760 wrote to memory of 2784 2760 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Hylozoism\Herbiest116.vre1⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Hylozoism\Herbiest116.vre2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Hylozoism\Herbiest116.vre"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50298e57511045705b2750f1b35b9913f
SHA1b9b265fa998748cb430d98547c37af2fe0f138e2
SHA256d0aae394e9679bf0561f6af1b892a34c15b6b8ebf54c780facd753e5b31b6cdd
SHA5127010203afd911c0c574fe29d9004cc87f360c2058cdbff4c4df69496c5cf3a78c286bd064c52b616a9be9f2621531c94971aece96050640556011f8092c081e5