fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2023 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hkcmd.exe
Size

328KB
MD5

ed61febcba66f166082b96a553f2cb33
SHA1

2537483fa23a2d8ec472f3e81ea2de323856d0fb
SHA256

fea65dd4a03abde027b70a55e0e20ebb9c90caa45099ad3b8590e92f73dbd3d6
SHA512

bbc641322f1af38f9f7071bd2beb19a838e40a9915cc52106c78137a6b1dec60f0035050fdfbda60f17a32f38a2e6e5a81925d38e214b60d8f5da6bcf0630b08
SSDEEP

6144:sBefKbrrroNGI1tFA83et3JLa/Ia7H+UQqsHHkrPAimUL:BarrroNZx7kZxkXxsHErPAim+

Score

7^/10

discovery

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	hkcmd.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	hkcmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	hkcmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2456	hkcmd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3916	hkcmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2456	hkcmd.exe
3916	hkcmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 3916	2456	hkcmd.exe	88
PID 3916 set thread context of 2456	3916	hkcmd.exe	80

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Biskoppers.Una	hkcmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe
3916	hkcmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2456	hkcmd.exe
3916	hkcmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	hkcmd.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3916	2456	hkcmd.exe	88
PID 2456 wrote to memory of 3916	2456	hkcmd.exe	88
PID 2456 wrote to memory of 3916	2456	hkcmd.exe	88
PID 2456 wrote to memory of 3916	2456	hkcmd.exe	88
PID 2456 wrote to memory of 3928	2456	hkcmd.exe	89
PID 2456 wrote to memory of 3928	2456	hkcmd.exe	89
PID 2456 wrote to memory of 3928	2456	hkcmd.exe	89

C:\Users\Admin\AppData\Local\Temp\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\hkcmd.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\hkcmd.exe"
  2⤵
  - Checks QEMU agent file
  - Checks computer location settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh672C.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2456-145-0x0000000007890000-0x0000000007994000-memory.dmp

Filesize
1.0MB

Download
memory/2456-147-0x0000000007890000-0x0000000007994000-memory.dmp

Filesize
1.0MB

Download
memory/3916-141-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3916-142-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/3916-143-0x0000000001660000-0x0000000005ABC000-memory.dmp

Filesize
68.4MB

Download
memory/3916-144-0x0000000035F00000-0x000000003624A000-memory.dmp

Filesize
3.3MB

Download
memory/3916-146-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download