253de8145c186c3d3ff60304eab1f23f4fdd50eb38a212c94847578226af433c

Analysis

max time kernel
8s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
15-03-2021 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe
Size

25KB
MD5

cd4cc1545d329de2398ff457e712edb2
SHA1

969b04cf87e367ad0c29ffc8c039cdde63196637
SHA256

4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083
SHA512

4ed085bfc53b63c2d25fff05d919731d3dd151759803062b964275f3881f16e3ac77c415e1ad3a94ed46dcc889d1b3eb9932372e81dbcb384339c913500f2fa9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hhcbrnaff.exe

pid process

1928 hhcbrnaff.exe
Loads dropped DLL 1 IoCs

Processes:

4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe

pid process

1724 4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1928	hhcbrnaff.exe

pid	process
1724	4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hhcbrnaff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	hhcbrnaff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	hhcbrnaff.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe

description	pid	process	target process
PID 1724 wrote to memory of 1928	1724	4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe	hhcbrnaff.exe
PID 1724 wrote to memory of 1928	1724	4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe	hhcbrnaff.exe
PID 1724 wrote to memory of 1928	1724	4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe	hhcbrnaff.exe
PID 1724 wrote to memory of 1928	1724	4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe	hhcbrnaff.exe

C:\Users\Admin\AppData\Local\Temp\4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe
"C:\Users\Admin\AppData\Local\Temp\4373d18b2bf09478387fc4e762cf29d6a9ba886e2f39dd4353fb6e8b33fee083.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
MD5
2fa45b880aaff0ffbdee7fab2fe26fc1

SHA1
88cf0017bd1fe25b139ed825b328461fb03acbf6

SHA256
e60dd14ebcd97bbe06906e8fd7fcfcfae2fb040994569e60922108b1e9271033

SHA512
fbd6645994fd5de26b77e61a80dcf8d12404803783f2bbc471c3dd08629158237436aab41eead2663c0e72e276afbc6368957dbac4e5b1cf6cbbf6ccfd511468

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
MD5
2fa45b880aaff0ffbdee7fab2fe26fc1

SHA1
88cf0017bd1fe25b139ed825b328461fb03acbf6

SHA256
e60dd14ebcd97bbe06906e8fd7fcfcfae2fb040994569e60922108b1e9271033

SHA512
fbd6645994fd5de26b77e61a80dcf8d12404803783f2bbc471c3dd08629158237436aab41eead2663c0e72e276afbc6368957dbac4e5b1cf6cbbf6ccfd511468

Download Submit
\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
MD5
2fa45b880aaff0ffbdee7fab2fe26fc1

SHA1
88cf0017bd1fe25b139ed825b328461fb03acbf6

SHA256
e60dd14ebcd97bbe06906e8fd7fcfcfae2fb040994569e60922108b1e9271033

SHA512
fbd6645994fd5de26b77e61a80dcf8d12404803783f2bbc471c3dd08629158237436aab41eead2663c0e72e276afbc6368957dbac4e5b1cf6cbbf6ccfd511468

Download Submit
memory/692-10-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp

Filesize
2.5MB

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1724-8-0x0000000002780000-0x0000000002B80000-memory.dmp

Filesize
4.0MB

Download
memory/1928-4-0x0000000000000000-mapping.dmp

Download
memory/1928-9-0x0000000002700000-0x0000000002B00000-memory.dmp

Filesize
4.0MB

Download