Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 04:17
Static task
static1
Behavioral task
behavioral1
Sample
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe
Resource
win11-20240709-en
General
-
Target
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe
-
Size
2.2MB
-
MD5
ffe6422dff4cbe7efdbd7ac4983504d4
-
SHA1
b67e47c4469476baa69803a3183f2c5a821ad5b1
-
SHA256
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26
-
SHA512
626e085ef91b16ba1d2c7211de287854b4a7e85282ccc5a863aa3603f5249ad6dcd2ae2127142268341a5cc28d91ba4f6b9bab3bef268f35e3e683ee929bf499
-
SSDEEP
49152:z79Bu1YpCIlTKgirv6NruEf9MpehiCcOIo8R+jl3W:zpBu2flTXmpehGOV8cjRW
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
tbkup.exetbkup.exepid process 1760 tbkup.exe 1064 tbkup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hypdhoszwhs = "C:\\Users\\Admin\\AppData\\Roaming\\Hypdhoszwhs.exe" db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exetbkup.exedescription pid process target process PID 2360 set thread context of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 1760 set thread context of 1064 1760 tbkup.exe tbkup.exe -
Drops file in Windows directory 1 IoCs
Processes:
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exedescription ioc process File created C:\Windows\Tasks\Test Task17.job db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exetbkup.exedescription pid process Token: SeDebugPrivilege 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe Token: SeDebugPrivilege 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe Token: SeDebugPrivilege 1760 tbkup.exe Token: SeDebugPrivilege 1760 tbkup.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exetbkup.exedescription pid process target process PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 2360 wrote to memory of 760 2360 db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe PID 1760 wrote to memory of 1064 1760 tbkup.exe tbkup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe"C:\Users\Admin\AppData\Local\Temp\db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe"C:\Users\Admin\AppData\Local\Temp\db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26.exe"2⤵
- Drops file in Windows directory
PID:760
-
C:\ProgramData\lugxik\tbkup.exeC:\ProgramData\lugxik\tbkup.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\ProgramData\lugxik\tbkup.exe"C:\ProgramData\lugxik\tbkup.exe"2⤵
- Executes dropped EXE
PID:1064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5ffe6422dff4cbe7efdbd7ac4983504d4
SHA1b67e47c4469476baa69803a3183f2c5a821ad5b1
SHA256db4d63069f8ba1604f971997cff723b7ed36153cd6b29d04ea0fc341236d9b26
SHA512626e085ef91b16ba1d2c7211de287854b4a7e85282ccc5a863aa3603f5249ad6dcd2ae2127142268341a5cc28d91ba4f6b9bab3bef268f35e3e683ee929bf499
-
Filesize
236B
MD55e085f0688a0e4bb9be4c17c5ecf2c05
SHA1b7230556641c4c40cf50039bcae19f24443e0f56
SHA2563eb5073dc5e3a89b3fac913e2a2fea1b9b47216b73d72985950eef7080798d52
SHA5128d3dc8773339f88587b3970f87d8024f5ddce5a1dddf2da3dc654d639ddf03cc85802c8412b5f3d7b0d943831ef8936c43d0486513b969e1eab57bf11d4e7e84