Analysis

  • max time kernel
    119s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 18:55

General

  • Target

    606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe

  • Size

    260KB

  • MD5

    0b0b0742f00569a644de0d91f04981b5

  • SHA1

    3ae1c9f2017981ce389baa55a0775241b87e7529

  • SHA256

    606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd

  • SHA512

    a178a5e07a0d500f6b366152d058af73e0e3af18bcbe7713a05ae5a0b16d9b20e4b2f45d2313ba7181d4c0c208995def738d2ee868407728cf3166142dd74cbc

  • SSDEEP

    6144:zefpY2nDl/XExmqGSE1w+DrseAB7LWg5nD9dwLi0Q:z6JDexmqGR1DnfsDLw20Q

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe
    "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\plytp.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5032
      • C:\Users\Admin\AppData\Local\Temp\plytp.exe
        C:\Users\Admin\AppData\Local\Temp\\plytp.exe "C:\Users\Admin\AppData\Local\Temp\606aa54d6af1fb79f97cb6153cbb3c7244a39caa06cb4759fa224f041296b4cd.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:228
        • \??\c:\Program Files\gytxhk\hfw.exe
          "c:\Program Files\gytxhk\hfw.exe" "c:\Program Files\gytxhk\hfwhq.dll",Cache C:\Users\Admin\AppData\Local\Temp\plytp.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3928

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\gytxhk\hfw.exe

          Filesize

          60KB

          MD5

          889b99c52a60dd49227c5e485a016679

          SHA1

          8fa889e456aa646a4d0a4349977430ce5fa5e2d7

          SHA256

          6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

          SHA512

          08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

        • C:\Users\Admin\AppData\Local\Temp\plytp.exe

          Filesize

          260KB

          MD5

          6ad79b50ffe25c5974799a3a91ec5a3d

          SHA1

          51eb0546733519cd8bd33d948858911eac5852f2

          SHA256

          fd3acbf4076c99f5c6c3b1ef2c32200089506ba4bebf5a497895d74f5ccd3108

          SHA512

          28454450901ff6dedf25e04f5d71565d1c0a22624f3a19fad8ca6bec9362ec74e058664111898401f9fe5cf41ef686d534d7f7a270cca11918ebb70d41adeafa

        • \??\c:\Program Files\gytxhk\hfwhq.dll

          Filesize

          188KB

          MD5

          65eee642399ad28628b4325a8b224b6d

          SHA1

          c847e347adc76e2152b8f4b7487f746d4ca3c6d8

          SHA256

          55863e8bc84f132d56faecce1aac4b3397ee9f2ea5fb76b68c35dd2528cc5520

          SHA512

          4d42e402afe0ca4d3f7902792350feae69ae5498c3dac93ee502356190a5b36ba3e6cbb69b8277e841a5c66eb9b0112264506e84e0c595dc4b9ca97f0017f42b

        • memory/228-9-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/228-8-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/228-15-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/3132-4-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/3132-0-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/3132-2-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/3132-1-0x0000000000400000-0x0000000000459036-memory.dmp

          Filesize

          356KB

        • memory/3928-20-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB

        • memory/3928-19-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB

        • memory/3928-22-0x0000000010000000-0x000000001006F000-memory.dmp

          Filesize

          444KB