9d6fa0924b1af1e34d01ecf998135140d96ea73bcf1fe28941f66e1ba3f7d9bf

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 22:09

Target

han.exe
Size

2.3MB
MD5

d28dc0c7e546e8f0e4ac5b9106d72fda
SHA1

1d6720b2e4bfe813adfbe2b45e9554e3b4b08542
SHA256

9d6fa0924b1af1e34d01ecf998135140d96ea73bcf1fe28941f66e1ba3f7d9bf
SHA512

e279c197f83cf0bbcedead49f7efa7d8176187740b6f145f1058c714ab2fb7c250aee01b8f8dd625bcd1d7b5d50dd5c5c9e82409a1d06885d026f014b9c9ba7e
SSDEEP

49152:nkWk5cS7a+9XYaQ6Zehc4mTYJ78V9gyBn4czPfmP/SA8N:fajJhZ942KQV9hp44PfmP/SA8

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

han.exe

pid process

2124 han.exe
2124 han.exe
2124 han.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

han.exe

description	pid	process	target process
PID 2124 wrote to memory of 2824	2124	han.exe	cmd.exe
PID 2124 wrote to memory of 2824	2124	han.exe	cmd.exe
PID 2124 wrote to memory of 2824	2124	han.exe	cmd.exe
PID 2124 wrote to memory of 2824	2124	han.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\han.exe
"C:\Users\Admin\AppData\Local\Temp\han.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:2824

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact