5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80

General

Target

5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
Size

17KB
MD5

1f3a92a87e03e84dee8266ca655ec15c
SHA1

81525b632d6762923141b288e370c94d1cddb3be
SHA256

5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80
SHA512

23881d3003b7919f5604bf31ff2cc3d335371f54db014f64040e25d8b7811780c64eb8342860bc71a512e54e3290a4fb4b0a6b7765bd3302e4b77e3dec535aef
SSDEEP

384:rvj7yr5Ev6WP3nutQ5+cG5OTCOspuqGGFlIbx8AQBkSi60AtLcT5APtBKhKmh:rvKrVc3+QI9pzllaOhtIT5AVBKhK8

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\HBKernel32.sys	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe

Executes dropped EXE 1 IoCs

pid	Process
1976	System.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
1976	System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBService32 = "System.exe"	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBService32 = "System.exe"	System.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HBCHIBI.dll	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
File created	C:\Windows\SysWOW64\System.exe	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	System.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1976	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	27
PID 1932 wrote to memory of 1976	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	27
PID 1932 wrote to memory of 1976	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	27
PID 1932 wrote to memory of 1976	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	27
PID 1932 wrote to memory of 2024	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	28
PID 1932 wrote to memory of 2024	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	28
PID 1932 wrote to memory of 2024	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	28
PID 1932 wrote to memory of 2024	1932	5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe	28

C:\Users\Admin\AppData\Local\Temp\5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe
"C:\Users\Admin\AppData\Local\Temp\5808c7e62dce46fa071c6db60dc3e18ffe78ca6035ea538e1230c81a112b8e80.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\System.exe
  C:\Windows\system32\System.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SelfDel.bat" "
  2⤵
  - Deletes itself
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SelfDel.bat

Filesize
343B

MD5
73cda10ab353a13e49940a8c23c02e78

SHA1
1b0d25156a26bb41ae5c2168da404740c043c498

SHA256
71e3f6f69a2767d7d0ea9d214b7dbf63e7e9743b0970d8a2877309f353d28e58

SHA512
40ae0f27b57a851afd2b2c00ba2d97bfa212ead397dce26249dcbbe77bb75a4db6be6266493069559587c99232f64a8a327d32fa40d99878897d55e3c38e7fea

Download Submit
C:\Windows\SysWOW64\HBCHIBI.dll

Filesize
24KB

MD5
232370520b1f7b2b2eccd7b96941a9a0

SHA1
5d15d98824b4308b28565960d02fff0c403f03f0

SHA256
29cfa237e0676bb37a6e9aa7c8cdfcab650c77e0a8fefed4a2e1a4fead1b96b1

SHA512
6a2d2fadae4efe1931a270e60711b91d8c3c515205361efa2d1c7b58bdcd9b20b829ea71fc2f6f417fdfc461691b0dfac02368669d0cb684b658aef3d448e690

Download Submit
C:\Windows\SysWOW64\System.exe

Filesize
7KB

MD5
aa68220a8bccf31946fa86413e806bba

SHA1
7975dff2e4fbd6f8e7929ebf70c8376877c9cb9d

SHA256
23cbe8714097edeaa65230173cdd8e2dab9f2a853b65e0fdb6d644344d08dc9f

SHA512
2afca3a88a51c892c65fa1c67c6f48be80874bd559eb4d2545cfe59ce1d32305085be42f15a59d292069454be8b02bc5ea7efcb9db0430d529763049c76a5e9f

Download Submit
C:\Windows\SysWOW64\System.exe

Filesize
7KB

MD5
aa68220a8bccf31946fa86413e806bba

SHA1
7975dff2e4fbd6f8e7929ebf70c8376877c9cb9d

SHA256
23cbe8714097edeaa65230173cdd8e2dab9f2a853b65e0fdb6d644344d08dc9f

SHA512
2afca3a88a51c892c65fa1c67c6f48be80874bd559eb4d2545cfe59ce1d32305085be42f15a59d292069454be8b02bc5ea7efcb9db0430d529763049c76a5e9f

Download Submit
\Windows\SysWOW64\HBCHIBI.dll

Filesize
24KB

MD5
232370520b1f7b2b2eccd7b96941a9a0

SHA1
5d15d98824b4308b28565960d02fff0c403f03f0

SHA256
29cfa237e0676bb37a6e9aa7c8cdfcab650c77e0a8fefed4a2e1a4fead1b96b1

SHA512
6a2d2fadae4efe1931a270e60711b91d8c3c515205361efa2d1c7b58bdcd9b20b829ea71fc2f6f417fdfc461691b0dfac02368669d0cb684b658aef3d448e690

Download Submit
\Windows\SysWOW64\System.exe

Filesize
7KB

MD5
aa68220a8bccf31946fa86413e806bba

SHA1
7975dff2e4fbd6f8e7929ebf70c8376877c9cb9d

SHA256
23cbe8714097edeaa65230173cdd8e2dab9f2a853b65e0fdb6d644344d08dc9f

SHA512
2afca3a88a51c892c65fa1c67c6f48be80874bd559eb4d2545cfe59ce1d32305085be42f15a59d292069454be8b02bc5ea7efcb9db0430d529763049c76a5e9f

Download Submit
\Windows\SysWOW64\System.exe

Filesize
7KB

MD5
aa68220a8bccf31946fa86413e806bba

SHA1
7975dff2e4fbd6f8e7929ebf70c8376877c9cb9d

SHA256
23cbe8714097edeaa65230173cdd8e2dab9f2a853b65e0fdb6d644344d08dc9f

SHA512
2afca3a88a51c892c65fa1c67c6f48be80874bd559eb4d2545cfe59ce1d32305085be42f15a59d292069454be8b02bc5ea7efcb9db0430d529763049c76a5e9f

Download Submit
memory/1932-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing