Analysis
-
max time kernel
119s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
Resource
win10v2004-20241007-en
General
-
Target
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
-
Size
260KB
-
MD5
0b0b0742f00569a644de0d91f04981b5
-
SHA1
3ae1c9f2017981ce389baa55a0775241b87e7529
-
SHA256
606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd
-
SHA512
a178a5e07a0d500f6b366152d058af73e0e3af18bcbe7713a05ae5a0b16d9b20e4b2f45d2313ba7181d4c0c208995def738d2ee868407728cf3166142dd74cbc
-
SSDEEP
6144:zefpY2nDl/XExmqGSE1w+DrseAB7LWg5nD9dwLi0Q:z6JDexmqGR1DnfsDLw20Q
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 228 plytp.exe -
Executes dropped EXE 2 IoCs
pid Process 228 plytp.exe 3928 hfw.exe -
Loads dropped DLL 1 IoCs
pid Process 3928 hfw.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cache = "c:\\Program Files\\gytxhk\\hfw.exe \"c:\\Program Files\\gytxhk\\hfwhq.dll\",Cache" hfw.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: hfw.exe File opened (read-only) \??\n: hfw.exe File opened (read-only) \??\q: hfw.exe File opened (read-only) \??\s: hfw.exe File opened (read-only) \??\u: hfw.exe File opened (read-only) \??\z: hfw.exe File opened (read-only) \??\x: hfw.exe File opened (read-only) \??\b: hfw.exe File opened (read-only) \??\e: hfw.exe File opened (read-only) \??\k: hfw.exe File opened (read-only) \??\m: hfw.exe File opened (read-only) \??\p: hfw.exe File opened (read-only) \??\t: hfw.exe File opened (read-only) \??\w: hfw.exe File opened (read-only) \??\o: hfw.exe File opened (read-only) \??\r: hfw.exe File opened (read-only) \??\v: hfw.exe File opened (read-only) \??\a: hfw.exe File opened (read-only) \??\g: hfw.exe File opened (read-only) \??\i: hfw.exe File opened (read-only) \??\j: hfw.exe File opened (read-only) \??\l: hfw.exe File opened (read-only) \??\y: hfw.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 hfw.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\gytxhk plytp.exe File created \??\c:\Program Files\gytxhk\hfwhq.dll plytp.exe File created \??\c:\Program Files\gytxhk\hfw.exe plytp.exe File opened for modification \??\c:\Program Files\gytxhk\hfw.exe plytp.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hfw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plytp.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5036 cmd.exe 5032 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 hfw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString hfw.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5032 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3928 hfw.exe 3928 hfw.exe 3928 hfw.exe 3928 hfw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3928 hfw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3132 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 228 plytp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3132 wrote to memory of 5036 3132 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 83 PID 3132 wrote to memory of 5036 3132 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 83 PID 3132 wrote to memory of 5036 3132 606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe 83 PID 5036 wrote to memory of 5032 5036 cmd.exe 85 PID 5036 wrote to memory of 5032 5036 cmd.exe 85 PID 5036 wrote to memory of 5032 5036 cmd.exe 85 PID 5036 wrote to memory of 228 5036 cmd.exe 86 PID 5036 wrote to memory of 228 5036 cmd.exe 86 PID 5036 wrote to memory of 228 5036 cmd.exe 86 PID 228 wrote to memory of 3928 228 plytp.exe 87 PID 228 wrote to memory of 3928 228 plytp.exe 87 PID 228 wrote to memory of 3928 228 plytp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\plytp.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5032
-
-
C:\Users\Admin\AppData\Local\Temp\plytp.exeC:\Users\Admin\AppData\Local\Temp\\plytp.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\Program Files\gytxhk\hfw.exe"c:\Program Files\gytxhk\hfw.exe" "c:\Program Files\gytxhk\hfwhq.dll",Cache C:\Users\Admin\AppData\Local\Temp\plytp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
260KB
MD56ad79b50ffe25c5974799a3a91ec5a3d
SHA151eb0546733519cd8bd33d948858911eac5852f2
SHA256fd3acbf4076c99f5c6c3b1ef2c32200089506ba4bebf5a497895d74f5ccd3108
SHA51228454450901ff6dedf25e04f5d71565d1c0a22624f3a19fad8ca6bec9362ec74e058664111898401f9fe5cf41ef686d534d7f7a270cca11918ebb70d41adeafa
-
Filesize
188KB
MD565eee642399ad28628b4325a8b224b6d
SHA1c847e347adc76e2152b8f4b7487f746d4ca3c6d8
SHA25655863e8bc84f132d56faecce1aac4b3397ee9f2ea5fb76b68c35dd2528cc5520
SHA5124d42e402afe0ca4d3f7902792350feae69ae5498c3dac93ee502356190a5b36ba3e6cbb69b8277e841a5c66eb9b0112264506e84e0c595dc4b9ca97f0017f42b