33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe
Size

19KB
MD5

62db41c3300df7f36ff75679e07b4700
SHA1

b6b5d4b3b3e7aec3505e55d08bcacfe0cc5999b5
SHA256

33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a
SHA512

99442c229e6f30e6be4dc92fa35a7eaa3040e3730bd6afd5d37eb60f2ab407308126ca8b15d44cb06f8edb3ee4a9f9b46629065185298d7273253ce997265afd
SSDEEP

384:yqG+PZFaPFYLaL3Tf7+02YIk/MRpNaTEcMDYSTiq8sScHZDzzKFpoByUAR:2ZIk/MPASDTBypay9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2540	hhcbrnaff.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2540	4060	33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe	82
PID 4060 wrote to memory of 2540	4060	33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe	82
PID 4060 wrote to memory of 2540	4060	33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe	82

C:\Users\Admin\AppData\Local\Temp\33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe
"C:\Users\Admin\AppData\Local\Temp\33861a560cf03ee0459cde7ad4b5a6fcda7ad7b2881a601cff831dccd1da033a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
19KB

MD5
62a7c4f8c97698f6d563101d58edf8e0

SHA1
36dd9b5144b8cca5fdaede973a2b192803f50be2

SHA256
69fa1f537466855750864ae740fb9c10c11adb04f1878ce5f182c1e326ca6a84

SHA512
a22a311a540e07b2c5dc87e28ef81894d8b8de9fc1700525c716b2a34807aa80d2d03f29aedfa71fd4e37da3bbd713d833940daa52aa198d6201b582518f4221

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
19KB

MD5
62a7c4f8c97698f6d563101d58edf8e0

SHA1
36dd9b5144b8cca5fdaede973a2b192803f50be2

SHA256
69fa1f537466855750864ae740fb9c10c11adb04f1878ce5f182c1e326ca6a84

SHA512
a22a311a540e07b2c5dc87e28ef81894d8b8de9fc1700525c716b2a34807aa80d2d03f29aedfa71fd4e37da3bbd713d833940daa52aa198d6201b582518f4221

Download Submit
memory/2540-138-0x0000000002500000-0x0000000002900000-memory.dmp

Filesize
4.0MB

Download
memory/2540-139-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4060-132-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4060-136-0x0000000002740000-0x0000000002B40000-memory.dmp

Filesize
4.0MB

Download
memory/4060-137-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download