d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691

Analysis

max time kernel
72s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCHunter64.exe
Size

10.2MB
MD5

d81135333a0eed3e973107891e996505
SHA1

d373052c6f7492e0dd5f2c705bac6b5afe7ffc24
SHA256

d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691
SHA512

910a66b83976d89f555354b05480fa9ee142bf7f41098999083a13879490dea0a5aabf9d85517683292ba030e51dd35e6459d1e0e8d49957826b876d96392a95
SSDEEP

98304:7F8k4UMOf99Xv/upYSuOtnz+QxVFgP+cAnvF+TVJ+j4bz6ISvb2FEz:7F8zUJV9uoyzxxvT4ZJGKaz

Score

8^/10

defense_evasion persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\sknarjaohxosnkqzm\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\sknarjaohxosnkqzm.sys"	PCHunter64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eevfmknigozbim\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\eevfmknigozbim.sys"	PCHunter64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aticiltntobpfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\aticiltntobpfv.sys"	PCHunter64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64ar\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter64ar.sys"	PCHunter64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter64.sys"	PCHunter64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vvadvivbuyleybnp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\vvadvivbuyleybnp.sys"	PCHunter64.exe

Impair Defenses: Safe Mode Boot 1 TTPs 8 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vvadvivbuyleybnp.sys	PCHunter64.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VVADVIVBUYLEYBNP.SYS	PCHunter64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sknarjaohxosnkqzm.sys	PCHunter64.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SKNARJAOHXOSNKQZM.SYS	PCHunter64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\eevfmknigozbim.sys	PCHunter64.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\EEVFMKNIGOZBIM.SYS	PCHunter64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\aticiltntobpfv.sys	PCHunter64.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ATICILTNTOBPFV.SYS	PCHunter64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	PCHunter64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	PCHunter64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	PCHunter64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	PCHunter64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	PCHunter64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	PCHunter64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	PCHunter64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4016	PCHunter64.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe
Token: SeLoadDriverPrivilege	4016	PCHunter64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe
4016	PCHunter64.exe

C:\Users\Admin\AppData\Local\Temp\PCHunter64.exe
"C:\Users\Admin\AppData\Local\Temp\PCHunter64.exe"
1⤵
- Sets service image path in registry
- Impair Defenses: Safe Mode Boot
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vvadvivbuyleybnp.sys

Filesize
618KB

MD5
6417c11dd315b8e50460b9b63559f27a

SHA1
268703f5e487b8a2874a11322d8ebe282b1ef698

SHA256
e6a882e5b9c5d3bf1ded94f14f3802deb88de23a03bb46e08a14fbb8950a94f5

SHA512
ad86c9910f95d47df7d9b79934fb2697964dc9e510b92a6c23da3e17b67750b28bc323c72b136857ffcc530a6bcf9578d9330dfae57766c10f87bcb1e2ae6611

Download Submit
memory/4016-96-0x0000000140000000-0x0000000140AD3000-memory.dmp

Filesize
10.8MB

Download
memory/4016-103-0x0000000140000000-0x0000000140AD3000-memory.dmp

Filesize
10.8MB

Download
memory/4016-107-0x0000000140000000-0x0000000140AD3000-memory.dmp

Filesize
10.8MB

Download
memory/4016-108-0x0000000140000000-0x0000000140AD3000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads