7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07

Analysis

max time kernel
105s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
Size

4.4MB
MD5

b9182a18d285439d5a8f54e43acf7ed0
SHA1

6bdb5cb62375d0defb52426fd55f1e73ade3a9a9
SHA256

7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07
SHA512

7f0007306704cddff6070d90b44fd737a458b2169a9e5cba5cce25c1d63de51973b063600fe482b9c51470d9856a82d88b4a7ad9869499fa27169c83b5e1463f
SSDEEP

98304:AyXPoKTkGvDygM1dqd4gCNMTcrSahyeCKWkxla:Pzv2P1gx8tc50xk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	HMCL-3.5.3.exe
3920	Windows_Updata.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\symbols\dll\jvm.pdb	javaw.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HMCL-3.5.3.exe	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
File created	C:\Windows\hs_err_pid4108.log	javaw.exe
File opened for modification	C:\Windows\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Windows\ntdll.pdb	javaw.exe
File opened for modification	C:\Windows\dll\ntdll.pdb	javaw.exe
File created	C:\Windows\HMCL-3.5.3.exe	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
File created	C:\Windows\Windows_Updata.exe	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
File opened for modification	C:\Windows\Windows_Updata.exe	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
File opened for modification	C:\Windows\symbols\dll\ntdll.pdb	javaw.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240579984	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe
3920	Windows_Updata.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	Windows_Updata.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4108	javaw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2352	5096	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe	83
PID 5096 wrote to memory of 2352	5096	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe	83
PID 5096 wrote to memory of 2352	5096	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe	83
PID 5096 wrote to memory of 3920	5096	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe	85
PID 5096 wrote to memory of 3920	5096	7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe	85
PID 2352 wrote to memory of 4108	2352	HMCL-3.5.3.exe	87
PID 2352 wrote to memory of 4108	2352	HMCL-3.5.3.exe	87
PID 4108 wrote to memory of 220	4108	javaw.exe	88
PID 4108 wrote to memory of 220	4108	javaw.exe	88

C:\Users\Admin\AppData\Local\Temp\7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe
"C:\Users\Admin\AppData\Local\Temp\7dd1b9c77b656ecbff01099deec50c1c65a19168fa1314869fca22f3193f6d07.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\HMCL-3.5.3.exe
  "C:\Windows\HMCL-3.5.3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=15 -jar "HMCL-3.5.3.exe"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd ver
      4⤵
      PID:220
- C:\Windows\Windows_Updata.exe
  "C:\Windows\Windows_Updata.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HMCL-3.5.3.exe

Filesize
4.4MB

MD5
a29167e249e8c1113a92bc033335b998

SHA1
71d097d12491a6e0c9e3b3bffaf98065ab322631

SHA256
bd7c8ea1eea5054a5a5c9c29c4a001c1b8f33036fccbed309801dd6f9e59234c

SHA512
f7aea383587840d34cc3eacbb87a33afb40e76f768c170407c4ea3694451f83d1778fa66647a50ef9a656e098443e1acae192eb66287a426ebe9743ee97d1738

Download Submit
C:\Windows\HMCL-3.5.3.exe

Filesize
4.4MB

MD5
a29167e249e8c1113a92bc033335b998

SHA1
71d097d12491a6e0c9e3b3bffaf98065ab322631

SHA256
bd7c8ea1eea5054a5a5c9c29c4a001c1b8f33036fccbed309801dd6f9e59234c

SHA512
f7aea383587840d34cc3eacbb87a33afb40e76f768c170407c4ea3694451f83d1778fa66647a50ef9a656e098443e1acae192eb66287a426ebe9743ee97d1738

Download Submit
C:\Windows\Windows_Updata.exe

Filesize
152KB

MD5
739f33737de20fb9037ea304b0953249

SHA1
eb91946ff053272c4437b7d01cd2bf26f8954e10

SHA256
e22c92f125e5575b186ee09a98809b3addc86c5a827a81511170f87dc7244875

SHA512
41146a7ac8f17d839c291eff991cb0d552d54cc6487a65d4122d546e1a608f2db0a3ee83295923e47dbfdc2aa5e11fe6a7244f0f720cf7449372eec217348996

Download Submit
C:\Windows\Windows_Updata.exe

Filesize
152KB

MD5
739f33737de20fb9037ea304b0953249

SHA1
eb91946ff053272c4437b7d01cd2bf26f8954e10

SHA256
e22c92f125e5575b186ee09a98809b3addc86c5a827a81511170f87dc7244875

SHA512
41146a7ac8f17d839c291eff991cb0d552d54cc6487a65d4122d546e1a608f2db0a3ee83295923e47dbfdc2aa5e11fe6a7244f0f720cf7449372eec217348996

Download Submit
memory/220-151-0x0000000000000000-mapping.dmp

Download
memory/2352-132-0x0000000000000000-mapping.dmp

Download
memory/3920-135-0x0000000000000000-mapping.dmp

Download
memory/3920-139-0x0000000000190000-0x00000000001A9000-memory.dmp

Filesize
100KB

Download
memory/3920-141-0x00007FFB6CE50000-0x00007FFB6D911000-memory.dmp

Filesize
10.8MB

Download
memory/4108-164-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-150-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-138-0x0000000000000000-mapping.dmp

Download
memory/4108-171-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-172-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-173-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-174-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-175-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-176-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-177-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4108-178-0x0000000002AF0000-0x0000000003AF0000-memory.dmp

Filesize
16.0MB

Download