dad4f83b8d772290981a7db973c9f22f27ef20a4f4ac670970c901d8e06fc245

Analysis

max time kernel
133s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17/08/2024, 22:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Hydrox.exe
Size

53KB
MD5

6f5464f5081c0d55bcd32608717846af
SHA1

ab7ffb3125fea604060ddf2508e62a9b6a096455
SHA256

dad4f83b8d772290981a7db973c9f22f27ef20a4f4ac670970c901d8e06fc245
SHA512

645909c25d004b948f7d3b8a0732070e38baa92b2116b3276834ba8ffbb281bd14edc5c90f5218f7c22d95976121d02944b0b8cb6241edb8ffabf72cedc8f005
SSDEEP

1536:5zVlHAiddQcTxKchwsgVvU0IvkwhC1E7:5zVlHDFTQchwhVYsbE7

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hydrox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
2560	powershell.exe
2560	powershell.exe
2560	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5036	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 5036	420	Hydrox.exe	73
PID 420 wrote to memory of 5036	420	Hydrox.exe	73
PID 420 wrote to memory of 5036	420	Hydrox.exe	73
PID 420 wrote to memory of 3964	420	Hydrox.exe	75
PID 420 wrote to memory of 3964	420	Hydrox.exe	75
PID 420 wrote to memory of 3964	420	Hydrox.exe	75
PID 420 wrote to memory of 3648	420	Hydrox.exe	77
PID 420 wrote to memory of 3648	420	Hydrox.exe	77
PID 420 wrote to memory of 3648	420	Hydrox.exe	77
PID 420 wrote to memory of 4456	420	Hydrox.exe	79
PID 420 wrote to memory of 4456	420	Hydrox.exe	79
PID 420 wrote to memory of 4456	420	Hydrox.exe	79
PID 420 wrote to memory of 2560	420	Hydrox.exe	81
PID 420 wrote to memory of 2560	420	Hydrox.exe	81
PID 420 wrote to memory of 2560	420	Hydrox.exe	81
PID 420 wrote to memory of 2904	420	Hydrox.exe	83
PID 420 wrote to memory of 2904	420	Hydrox.exe	83
PID 420 wrote to memory of 2904	420	Hydrox.exe	83
PID 420 wrote to memory of 1604	420	Hydrox.exe	85
PID 420 wrote to memory of 1604	420	Hydrox.exe	85
PID 420 wrote to memory of 1604	420	Hydrox.exe	85

C:\Users\Admin\AppData\Local\Temp\Hydrox.exe
"C:\Users\Admin\AppData\Local\Temp\Hydrox.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wininit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f374bca1a66fb02170109b4773968cce

SHA1
a91464d5df9d0b0202549d1faeb799180e209bf7

SHA256
733de6472ff362216e251154f3e8487d890d3eda0edfe9431dbf0a19067dead5

SHA512
4434bcef7f734a8fadbb3cc5a0420536ea42978de29daf788cb37ed08e1ef3b3a01ddc02a6b62d0b1812acd786ae41d7032a6c47d4d4dbcbb9e82c0d82f7156b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4e3df9ba36ebc44584dd93e9fa7d1893

SHA1
36dba2cc8f0878138618b3e119b6d5fe312ebb00

SHA256
c03eb19b9d6a1666e76a8dfc90d90112950742c09ad1313f6f42064d8ac6747d

SHA512
2dc895f84c199ce74a2e6b3bb0cb6a4277d632de552db6a2b2abfb375e745879b38e038076d1a9c528e07dca7a0d64ce26e7dda644c61f20d203718485039056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e9085b4a1ebe0c37435505acdf04e52f

SHA1
f492fc6f0c80c48aa1ae664fe3f4d007d64a60c4

SHA256
bad94d0e330e37fbcd38e7a6b5cc4a05268de177e546125b87c8faadc2d3729a

SHA512
9377c5e97700f3db4536ba0dd88812ce69c97621f1c655162d0d92e25a9337376af35a15386de5f1a6192e3a663cf99cae8641fa7e5b5904b86334cf186a8df3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8650bdbf328fdad31c6e09707f7b1554

SHA1
975b5ad9e741efba684fe5c6594c75b9dec21653

SHA256
5cbb9b4885048127c219e0bf6cbe5d12729c37a48e506abdbda3ed81b5b79ba7

SHA512
e7501bdfeef98a54824f4c4fe4bd091937a1cfbed2a595f32544fceba945af352291052a51dcf55c2b51cb668a4468650e65ef35988422de0b6c65e3a2f6e3b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
812e355cf311ff68a305dda17db2e6c3

SHA1
a721549a0433b67cb85d6ad286dba296602a8755

SHA256
2d3b41b30f0d36643d55ed41275985c01bcb94cd3822ca1e26110ec2b94aaf4d

SHA512
95df6fb454cee27cf08a6b81489efd9b92622b0ab7a613c67e7eb3e29b3c15ac3803f6feeba0c2f88b5c5f3edf9559f3806fa6714cc986b775e10eb2f8d6a5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
730b17cb079ee91f53210d56a0d6e835

SHA1
0e57b3829dee8036c6179ab3e91944c50705e1fd

SHA256
f4219c9b1b7880693fca73269ea55e11389668a1cba58a72483d8f4cc65d95c3

SHA512
179cf5c994d375c957d31963abf132e98f83d81a24ad2c4aa63e4bf5dc35e87067cdd840cf4a200b2a9308c89e32aee4d40b87ef1dc934c1f2b737db5d137750

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wctbyo3.bof.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
57fd31131365fb41e9ab858386106e7d

SHA1
5848a27d3d3918aeda1f91941e820af0ac8fe1a9

SHA256
e4d50f4ca3098fb9905a81e4f9079b48d037097471464e961283884bb850b4c4

SHA512
b9fecabf3cb2373653737bbfc4ca87467fe82759e9db249701fd32f00311583aae87d8a30a00f374b10a66ea773d8842686a1308b1bff1a2199bc3d663ab0fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
6f21f6e249936a5228cd895408052ac5

SHA1
cd4be77410f6e8e3ae51194f5c4594e9d831d704

SHA256
ba988fc93a27095664e83da9c7ead773a8a96b1ec00ec5ffc555d3510f34d936

SHA512
4898aeb769979b0292a33e8655793a0e18d16afacf9ac3e465f353307c8828ee53bdd179ec1071d9d7de2d5a3846572354e960056a4d7d8eeec4a4ce461a36c2

Download Submit
memory/420-7-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-4-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/420-0-0x000000007336E000-0x000000007336F000-memory.dmp

Filesize
4KB

Download
memory/420-264-0x000000007336E000-0x000000007336F000-memory.dmp

Filesize
4KB

Download
memory/420-3-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/420-1-0x0000000000CB0000-0x0000000000CC4000-memory.dmp

Filesize
80KB

Download
memory/420-8-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-6-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-5-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-286-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-265-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-506-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/420-2-0x0000000005980000-0x0000000005E7E000-memory.dmp

Filesize
5.0MB

Download
memory/1604-1516-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/2560-1027-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/2904-1272-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/3648-538-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/3964-293-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/4456-783-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/5036-15-0x00000000074A0000-0x00000000074C2000-memory.dmp

Filesize
136KB

Download
memory/5036-244-0x0000000009890000-0x0000000009898000-memory.dmp

Filesize
32KB

Download
memory/5036-239-0x00000000098A0000-0x00000000098BA000-memory.dmp

Filesize
104KB

Download
memory/5036-46-0x00000000098F0000-0x0000000009984000-memory.dmp

Filesize
592KB

Download
memory/5036-45-0x0000000009730000-0x00000000097D5000-memory.dmp

Filesize
660KB

Download
memory/5036-40-0x00000000095C0000-0x00000000095DE000-memory.dmp

Filesize
120KB

Download
memory/5036-39-0x000000006DEC0000-0x000000006DF0B000-memory.dmp

Filesize
300KB

Download
memory/5036-38-0x0000000009600000-0x0000000009633000-memory.dmp

Filesize
204KB

Download
memory/5036-21-0x0000000008520000-0x0000000008596000-memory.dmp

Filesize
472KB

Download
memory/5036-20-0x0000000008770000-0x00000000087BB000-memory.dmp

Filesize
300KB

Download
memory/5036-19-0x00000000075C0000-0x00000000075DC000-memory.dmp

Filesize
112KB

Download
memory/5036-18-0x0000000007E60000-0x00000000081B0000-memory.dmp

Filesize
3.3MB

Download
memory/5036-16-0x0000000007D80000-0x0000000007DE6000-memory.dmp

Filesize
408KB

Download
memory/5036-17-0x0000000007DF0000-0x0000000007E56000-memory.dmp

Filesize
408KB

Download
memory/5036-14-0x00000000075E0000-0x0000000007C08000-memory.dmp

Filesize
6.2MB

Download
memory/5036-13-0x0000000006EC0000-0x0000000006EF6000-memory.dmp

Filesize
216KB

Download