Analysis
-
max time kernel
106s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 19:09
Static task
static1
Behavioral task
behavioral1
Sample
b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe
Resource
win10v2004-20220812-en
General
-
Target
b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe
-
Size
778KB
-
MD5
62c8830d74964a8e0596da6c628e5afc
-
SHA1
264dac13bfd83a02b5c0856dda6403f882a63ef2
-
SHA256
b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad
-
SHA512
a3c134e3b7b476b91463efedf5570bb050d528fd64f54f0bf98fa3b68bdce880c962a7d5dd8d2084f0802eb385a70f586e5d89d127c937a5bbf5cd98817dca79
-
SSDEEP
12288:cu+6uRIB6yfR+1rIKAKXPWXQGhg11DxgXA8ZMG9h/MgSbvfVlW81utPp:c76rEyJYrIQFGhgXl8CG9h/M5T9l9uth
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000022e0d-132.dat acprotect behavioral2/files/0x0006000000022e0d-142.dat acprotect behavioral2/files/0x0006000000022e0d-143.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 4964 Honhcservice.exe -
resource yara_rule behavioral2/files/0x0006000000022e0d-132.dat upx behavioral2/memory/5048-137-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/files/0x0006000000022e0d-142.dat upx behavioral2/files/0x0006000000022e0d-143.dat upx behavioral2/memory/4964-149-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/5048-151-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/4964-153-0x0000000010000000-0x000000001012A000-memory.dmp upx behavioral2/memory/4964-154-0x0000000010000000-0x000000001012A000-memory.dmp upx -
Loads dropped DLL 6 IoCs
pid Process 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 4964 Honhcservice.exe 4964 Honhcservice.exe 4964 Honhcservice.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Honhcservice.exe b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe File created C:\Windows\SysWOW64\Honhcservice.dll Honhcservice.exe File opened for modification C:\Windows\SysWOW64\Honhcservice.dll Honhcservice.exe File created C:\Windows\SysWOW64\Honhcservice.exe b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\63b57ca224cef4f987fc987475f15507.dat Honhcservice.exe File created C:\Windows\Fonts\63b57ca224cef4f987fc987475f15507.dat Honhcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "NO" Honhcservice.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "124458700" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B5B9442A-8127-11E4-B697-C264E7FE3618} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 4964 Honhcservice.exe 4964 Honhcservice.exe 4964 Honhcservice.exe 4964 Honhcservice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSystemtimePrivilege 4964 Honhcservice.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4712 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 4964 Honhcservice.exe 4712 IEXPLORE.EXE 4712 IEXPLORE.EXE 1580 IEXPLORE.EXE 1580 IEXPLORE.EXE 1580 IEXPLORE.EXE 1580 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4964 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 81 PID 5048 wrote to memory of 4964 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 81 PID 5048 wrote to memory of 4964 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 81 PID 5048 wrote to memory of 4808 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 82 PID 5048 wrote to memory of 4808 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 82 PID 5048 wrote to memory of 4808 5048 b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe 82 PID 4964 wrote to memory of 4712 4964 Honhcservice.exe 84 PID 4964 wrote to memory of 4712 4964 Honhcservice.exe 84 PID 4712 wrote to memory of 1580 4712 IEXPLORE.EXE 85 PID 4712 wrote to memory of 1580 4712 IEXPLORE.EXE 85 PID 4712 wrote to memory of 1580 4712 IEXPLORE.EXE 85 PID 4964 wrote to memory of 4712 4964 Honhcservice.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe"C:\Users\Admin\AppData\Local\Temp\b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Honhcservice.exeC:\Windows\system32\Honhcservice.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4712 CREDAT:17410 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del_b.bat2⤵PID:4808
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f79ee77a4f30401507e6f54a61598f58
SHA17f3ef4945f621ed2880ff5a10a126957b2011a17
SHA256cf8e29720823eb114fbc3018569a7296ed3e6fcd6c4897f50c5c6e0e98d0b3f8
SHA51226ccde784b06c46f60fb5a105c806c4d9dc1497fd79d39728fbcfa869d470ca2ba018b0665f3cbc05019fb0766dac2eb1084a6fdce2f9aaaae881beb09dd3739
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
124KB
MD5a062fbf36321864ac8e7e2e408ff0d90
SHA18cc46a09096eb373e5e01d7547f108eb09bbac9d
SHA256249a27ede8d0fbd3e5dd89b9150d1215c7ae1dc2f137db5a67cee44e6b5c0431
SHA5122ddb24f7f9a6f6b17b4ac3a5e0b4cfe9424a710ef34c7918754bcd4acff8ff41e043c2e8ab829da42d2e4a80cc45b59f309253833ba3d7329ba79d7fc7128819
-
Filesize
406KB
MD5c3807c0338c0d375f810afb236cb7200
SHA192522e6145c0eaa35716afd575eea2e6c3c729d3
SHA2565e4972260a7130a96c353ababbdd887e0e2431f0388b8368357527d2311584dc
SHA512ac3bb279c3a599df315d1bba8c65398fb1f8ddde06e5e558dd533bfa4216c0b45f91624586e8584d2b2879f6b9885599f2abf74d5125ca0f1ca4f74242de2668
-
Filesize
406KB
MD5c3807c0338c0d375f810afb236cb7200
SHA192522e6145c0eaa35716afd575eea2e6c3c729d3
SHA2565e4972260a7130a96c353ababbdd887e0e2431f0388b8368357527d2311584dc
SHA512ac3bb279c3a599df315d1bba8c65398fb1f8ddde06e5e558dd533bfa4216c0b45f91624586e8584d2b2879f6b9885599f2abf74d5125ca0f1ca4f74242de2668
-
Filesize
406KB
MD5c3807c0338c0d375f810afb236cb7200
SHA192522e6145c0eaa35716afd575eea2e6c3c729d3
SHA2565e4972260a7130a96c353ababbdd887e0e2431f0388b8368357527d2311584dc
SHA512ac3bb279c3a599df315d1bba8c65398fb1f8ddde06e5e558dd533bfa4216c0b45f91624586e8584d2b2879f6b9885599f2abf74d5125ca0f1ca4f74242de2668
-
Filesize
778KB
MD562c8830d74964a8e0596da6c628e5afc
SHA1264dac13bfd83a02b5c0856dda6403f882a63ef2
SHA256b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad
SHA512a3c134e3b7b476b91463efedf5570bb050d528fd64f54f0bf98fa3b68bdce880c962a7d5dd8d2084f0802eb385a70f586e5d89d127c937a5bbf5cd98817dca79
-
Filesize
778KB
MD562c8830d74964a8e0596da6c628e5afc
SHA1264dac13bfd83a02b5c0856dda6403f882a63ef2
SHA256b7cbe70c6843536da3eba3090d1f6593c511d640f289546c439fe616b7395bad
SHA512a3c134e3b7b476b91463efedf5570bb050d528fd64f54f0bf98fa3b68bdce880c962a7d5dd8d2084f0802eb385a70f586e5d89d127c937a5bbf5cd98817dca79
-
Filesize
266B
MD55fc2b518cd1d46c69ac421bc72d85628
SHA1e672455ffa657bcb7a272324342af6e7c4fa148a
SHA2562dd3d0fe01d628daa41676ed06e447e8c6d081c7bf87325d4679169a0c1c664a
SHA512b586818151d44a768bda7dfe7808560dd5e1e6756149f834526df401e91d22ae305f286f4467916d93a215a32323bf2476c19f68777f692b2d70869f69a0b210