8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb

General

Target

8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Size

1.2MB
MD5

8d2990e5fd3edb24b5be11369f221555
SHA1

0bc288fa0c9d57f8883fe091414e4609bf845252
SHA256

8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb
SHA512

63e9785900eb53b4371bbf867f3b6b70e1f78ca0ac8d890c159f8fb358792dbc750e9c3c1c8aad43113030b90937ba380304175a7cf5eee18b12a99352fafcd3
SSDEEP

24576:lNhi7zCgorBhkpi1YfSv3Gp64RFx27Slv+0Nqh+ak0AWxcvW:0XMKiz2pyWlviFwM

Score

8^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Hbpk.exe

pid process

888 Hbpk.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Hbpk.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine Hbpk.exe
Loads dropped DLL 1 IoCs

Processes:

8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe

pid process

1064 8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe

pid	process
888	Hbpk.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine	Hbpk.exe

pid	process
1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/888-674-0x0000000000400000-0x00000000005EA000-memory.dmp	themida
behavioral1/memory/888-676-0x0000000000400000-0x00000000005EA000-memory.dmp	themida
behavioral1/memory/888-679-0x0000000000400000-0x00000000005EA000-memory.dmp	themida
behavioral1/memory/888-680-0x0000000000400000-0x00000000005EA000-memory.dmp	themida

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Hbpk.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IEPK = cd9c8263000000000300000000000000	Hbpk.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exeHbpk.exe

description	pid	process
Token: 33	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: SeIncBasePriorityPrivilege	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: 33	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: SeIncBasePriorityPrivilege	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: 33	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: SeIncBasePriorityPrivilege	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: 33	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: SeIncBasePriorityPrivilege	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
Token: 33	888	Hbpk.exe
Token: SeIncBasePriorityPrivilege	888	Hbpk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Hbpk.exe

pid process

888 Hbpk.exe
888 Hbpk.exe

pid	process
888	Hbpk.exe
888	Hbpk.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe

description	pid	process	target process
PID 1064 wrote to memory of 888	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe	Hbpk.exe
PID 1064 wrote to memory of 888	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe	Hbpk.exe
PID 1064 wrote to memory of 888	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe	Hbpk.exe
PID 1064 wrote to memory of 888	1064	8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe	Hbpk.exe

C:\Users\Admin\AppData\Local\Temp\8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe
"C:\Users\Admin\AppData\Local\Temp\8cfc488f5183825a7f57118704d5abfd5a58a3051353ca7d93a9c50a8b38c0eb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\2.1.11.06\2555.08.02T08.36\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Hbpk.exe
"C:\Users\Admin\AppData\Local\Temp\Hbpk.exe"
2⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\2.1.11.06\2555.08.02T08.36\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Hbpk.exe
Filesize
17KB

MD5
c9a3eb86426504f454c6f32fc7ed8e9d

SHA1
0264f6b9422b788e10f5562c3d3f190447103816

SHA256
86efc27149a0a43db007359ccaf00d5305989077419b0330c8a118631abffbe3

SHA512
93eeb3c981da373491e91f3ea3e246b978f9a91117e48649a9780e745e37428c6e28e3c980fd107bdb953e95fd4aec4882be9376e770c6cd3b25a0cc449176d3

Download Submit
\Users\Admin\AppData\Local\Xenocode\Sandbox\scnner tools\2.1.11.06\2555.08.02T08.36\Virtual\STUBEXE\@APPDATALOCAL@\Temp\Hbpk.exe
Filesize
17KB

MD5
c9a3eb86426504f454c6f32fc7ed8e9d

SHA1
0264f6b9422b788e10f5562c3d3f190447103816

SHA256
86efc27149a0a43db007359ccaf00d5305989077419b0330c8a118631abffbe3

SHA512
93eeb3c981da373491e91f3ea3e246b978f9a91117e48649a9780e745e37428c6e28e3c980fd107bdb953e95fd4aec4882be9376e770c6cd3b25a0cc449176d3

Download Submit
memory/888-680-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/888-679-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/888-678-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/888-676-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/888-674-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/888-535-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/888-537-0x00000000003AB000-0x00000000003AD000-memory.dmp

Filesize
8KB

Download
memory/888-365-0x0000000000000000-mapping.dmp

Download
memory/1064-97-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-109-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-77-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-79-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-81-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-83-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-85-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-87-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-89-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-91-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-95-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-93-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-54-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-99-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-101-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-103-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-107-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-75-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-111-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-115-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-117-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-113-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-105-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-121-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-363-0x00000000003BB000-0x00000000003BD000-memory.dmp

Filesize
8KB

Download
memory/1064-73-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-71-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-69-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-67-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-65-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-63-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-61-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-677-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-59-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-57-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/1064-55-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads