Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-07-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
ffe6422dff4cbe7efdbd7ac4983504d4.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ffe6422dff4cbe7efdbd7ac4983504d4.exe
Resource
win10v2004-20240709-en
General
-
Target
ffe6422dff4cbe7efdbd7ac4983504d4.exe
-
Size
2.2MB
-
MD5
ffe6422dff4cbe7efdbd7ac4983504d4
-
SHA1
b67e47c4469476baa69803a3183f2c5a821ad5b1
-
SHA256
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26
-
SHA512
626e085ef91b16ba1d2c7211de287854b4a7e85282ccc5a863aa3603f5249ad6dcd2ae2127142268341a5cc28d91ba4f6b9bab3bef268f35e3e683ee929bf499
-
SSDEEP
49152:z79Bu1YpCIlTKgirv6NruEf9MpehiCcOIo8R+jl3W:zpBu2flTXmpehGOV8cjRW
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
dxvf.exedxvf.exedxvf.exedxvf.exepid process 1688 dxvf.exe 2916 dxvf.exe 2740 dxvf.exe 3924 dxvf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hypdhoszwhs = "C:\\Users\\Admin\\AppData\\Roaming\\Hypdhoszwhs.exe" ffe6422dff4cbe7efdbd7ac4983504d4.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedxvf.exedxvf.exedescription pid process target process PID 2936 set thread context of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1688 set thread context of 2916 1688 dxvf.exe dxvf.exe PID 2740 set thread context of 3924 2740 dxvf.exe dxvf.exe -
Drops file in Windows directory 1 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription ioc process File created C:\Windows\Tasks\Test Task17.job ffe6422dff4cbe7efdbd7ac4983504d4.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedxvf.exedxvf.exedescription pid process Token: SeDebugPrivilege 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe Token: SeDebugPrivilege 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe Token: SeDebugPrivilege 1688 dxvf.exe Token: SeDebugPrivilege 1688 dxvf.exe Token: SeDebugPrivilege 2740 dxvf.exe Token: SeDebugPrivilege 2740 dxvf.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exetaskeng.exedxvf.exedxvf.exedescription pid process target process PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 2936 wrote to memory of 2536 2936 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1120 wrote to memory of 1688 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 1688 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 1688 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 1688 1120 taskeng.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1688 wrote to memory of 2916 1688 dxvf.exe dxvf.exe PID 1120 wrote to memory of 2740 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 2740 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 2740 1120 taskeng.exe dxvf.exe PID 1120 wrote to memory of 2740 1120 taskeng.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe PID 2740 wrote to memory of 3924 2740 dxvf.exe dxvf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"2⤵
- Drops file in Windows directory
PID:2536
-
C:\Windows\system32\taskeng.exetaskeng.exe {82B5CDC2-F370-4CF6-9783-27BEF3F3AD09} S-1-5-21-940600906-3464502421-4240639183-1000:MGWWAYYN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\ProgramData\obpfkgn\dxvf.exeC:\ProgramData\obpfkgn\dxvf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\ProgramData\obpfkgn\dxvf.exe"C:\ProgramData\obpfkgn\dxvf.exe"3⤵
- Executes dropped EXE
PID:2916 -
C:\ProgramData\obpfkgn\dxvf.exeC:\ProgramData\obpfkgn\dxvf.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\ProgramData\obpfkgn\dxvf.exe"C:\ProgramData\obpfkgn\dxvf.exe"3⤵
- Executes dropped EXE
PID:3924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ffe6422dff4cbe7efdbd7ac4983504d4
SHA1b67e47c4469476baa69803a3183f2c5a821ad5b1
SHA256db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26
SHA512626e085ef91b16ba1d2c7211de287854b4a7e85282ccc5a863aa3603f5249ad6dcd2ae2127142268341a5cc28d91ba4f6b9bab3bef268f35e3e683ee929bf499
-
Filesize
218B
MD59e40d522caaab2499cadddbaa2904434
SHA19a1a40d6bd643c92e7fddd78c62c8b38aaa99a3f
SHA2560d3e4bdbda0952e59bb6ea3dc656198e74e51e2ebb6ec58f3d9a66cf508c189a
SHA512a484c8b994948c1c0a4058dcebe77b39d2b47363409b302e70ede88453bc23fcd2c238750b4a086d03b7c03331c7713c2b56fa274de3a1c849025447d70b6aee