Analysis
-
max time kernel
136s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 04:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffe6422dff4cbe7efdbd7ac4983504d4.exe
Resource
win7-20240708-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
ffe6422dff4cbe7efdbd7ac4983504d4.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
ffe6422dff4cbe7efdbd7ac4983504d4.exe
-
Size
2.2MB
-
MD5
ffe6422dff4cbe7efdbd7ac4983504d4
-
SHA1
b67e47c4469476baa69803a3183f2c5a821ad5b1
-
SHA256
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26
-
SHA512
626e085ef91b16ba1d2c7211de287854b4a7e85282ccc5a863aa3603f5249ad6dcd2ae2127142268341a5cc28d91ba4f6b9bab3bef268f35e3e683ee929bf499
-
SSDEEP
49152:z79Bu1YpCIlTKgirv6NruEf9MpehiCcOIo8R+jl3W:zpBu2flTXmpehGOV8cjRW
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hypdhoszwhs = "C:\\Users\\Admin\\AppData\\Roaming\\Hypdhoszwhs.exe" ffe6422dff4cbe7efdbd7ac4983504d4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription pid process target process PID 1348 set thread context of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription pid process Token: SeDebugPrivilege 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe Token: SeDebugPrivilege 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ffe6422dff4cbe7efdbd7ac4983504d4.exedescription pid process target process PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe PID 1348 wrote to memory of 2768 1348 ffe6422dff4cbe7efdbd7ac4983504d4.exe ffe6422dff4cbe7efdbd7ac4983504d4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"C:\Users\Admin\AppData\Local\Temp\ffe6422dff4cbe7efdbd7ac4983504d4.exe"2⤵PID:2768