Analysis
-
max time kernel
140s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
PCHunter_v1.56/PCHunter_v1.56/PCHunter_1.56/PCHunter32.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
PCHunter_v1.56/PCHunter_v1.56/PCHunter_1.56/PCHunter32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
PCHunter_v1.56/PCHunter_v1.56/PCHunter_1.56/PCHunter64.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
PCHunter_v1.56/PCHunter_v1.56/PCHunter_1.56/PCHunter64.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
PCHunter_v1.56/Readme-ZOL.htm
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
PCHunter_v1.56/Readme-ZOL.htm
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
PCHunter_v1.56/PCHunter_v1.56/PCHunter_1.56/PCHunter64.exe
-
Size
10.4MB
-
MD5
987b65cd9b9f4e9a1afd8f8b48cf64a7
-
SHA1
5f1cbc3d99558307bc1250d084fa968521482025
-
SHA256
2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
-
SHA512
d81cf04cb3bcd3a50665398fc9df2f99e200bb6fa9bcf25d3662b9c2235fd00362c796165607daeafdcf6fdc97aa4f0bd08287370d8be5f778ffc2ab139a3823
-
SSDEEP
98304:ec2woDnsJL7vEGeQECPKHvf5M3Tj2bg1pFNAlVu8kBQxC6yZKylLj:L2woDnwL7884f5Am01pElVu8kCI6GNj
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\PCHunter64.sys" PCHunter64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmvivmhtlwtkeh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\vmvivmhtlwtkeh.sys" PCHunter64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\skdphhxgcmjwlbda\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\skdphhxgcmjwlbda.sys" PCHunter64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pzqmdidtommsijzk\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\pzqmdidtommsijzk.sys" PCHunter64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lwljycagblpgfsct\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\lwljycagblpgfsct.sys" PCHunter64.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCHunter64as\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PCHunter_v1.56\\PCHunter_v1.56\\PCHunter_1.56\\PCHunter64as.sys" PCHunter64.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pzqmdidtommsijzk.sys PCHunter64.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\PZQMDIDTOMMSIJZK.SYS PCHunter64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\lwljycagblpgfsct.sys PCHunter64.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\LWLJYCAGBLPGFSCT.SYS PCHunter64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vmvivmhtlwtkeh.sys PCHunter64.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VMVIVMHTLWTKEH.SYS PCHunter64.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\skdphhxgcmjwlbda.sys PCHunter64.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SKDPHHXGCMJWLBDA.SYS PCHunter64.exe -
Suspicious behavior: LoadsDriver 32 IoCs
pid Process 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe 836 PCHunter64.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe Token: SeLoadDriverPrivilege 836 PCHunter64.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 836 PCHunter64.exe 836 PCHunter64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PCHunter_v1.56\PCHunter_v1.56\PCHunter_1.56\PCHunter64.exe"C:\Users\Admin\AppData\Local\Temp\PCHunter_v1.56\PCHunter_v1.56\PCHunter_1.56\PCHunter64.exe"1⤵
- Sets service image path in registry
- Impair Defenses: Safe Mode Boot
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
624KB
MD55eb2f44651d3e4b90664bab3070409ff
SHA16d71d69243bc2495a107ca45d5989a6fc1545570
SHA25632726fa33be861472d0b26286073b49500e3fd3bd1395f63bc114746a9195efb
SHA51255eef39a6845567c8bf64d04e5414537837ae7937229849f7bb1f28e4ddc22428aa1d56af177606c1ea31dd8799ff96d1dfa0f80cb266afe31ca1b43fe9313b5