0c0a4953e2c77e9123aba12cda4a0beff9015bd4ffa5f63a68de75a3cbe4cc01

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66662e9a4cec3cb85ef9322a14bde6d1.exe
Size

17KB
MD5

66662e9a4cec3cb85ef9322a14bde6d1
SHA1

5d55fa8ad6e09e91bbbb1fdbaea4801c8084782e
SHA256

0c0a4953e2c77e9123aba12cda4a0beff9015bd4ffa5f63a68de75a3cbe4cc01
SHA512

a923b0ec6b13b809b96df0138dd61128dbc6ac4e688deeb69e3df20188662ca545a89c1d7c14e51f03b5c15ae3b8a2b40477fc6079e783750ab29f991a37af55
SSDEEP

384:rH+eQ8cOBYluuVE+C16AZlS0cBk8C1swCduRXwyi1XINo:rH+eQmYQ6C4KCs2yQINo

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2108	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	System.exe

Loads dropped DLL 3 IoCs

pid	Process
2956	66662e9a4cec3cb85ef9322a14bde6d1.exe
2956	66662e9a4cec3cb85ef9322a14bde6d1.exe
2276	System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBService32 = "System.exe"	66662e9a4cec3cb85ef9322a14bde6d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBService32 = "System.exe"	System.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HBDNF.dll	66662e9a4cec3cb85ef9322a14bde6d1.exe
File created	C:\Windows\SysWOW64\System.exe	66662e9a4cec3cb85ef9322a14bde6d1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	66662e9a4cec3cb85ef9322a14bde6d1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	System.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2276	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	28
PID 2956 wrote to memory of 2276	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	28
PID 2956 wrote to memory of 2276	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	28
PID 2956 wrote to memory of 2276	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	28
PID 2956 wrote to memory of 2108	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	29
PID 2956 wrote to memory of 2108	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	29
PID 2956 wrote to memory of 2108	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	29
PID 2956 wrote to memory of 2108	2956	66662e9a4cec3cb85ef9322a14bde6d1.exe	29

C:\Users\Admin\AppData\Local\Temp\66662e9a4cec3cb85ef9322a14bde6d1.exe
"C:\Users\Admin\AppData\Local\Temp\66662e9a4cec3cb85ef9322a14bde6d1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\System.exe
  C:\Windows\system32\System.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\SelfDel.bat" "
  2⤵
  - Deletes itself
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SelfDel.bat

Filesize
279B

MD5
c52cef0f6fb415a2967a7d4d1b719bb4

SHA1
3a0243ad1d81a4c584551af8ac51c689ba31db3d

SHA256
c32dd4bca74eb7c6db2ff652b820f9c53a73123a3bedc6b7d16baf9b7b5157eb

SHA512
7259549a335110eef6b7dd5b0b6e3fa787c7d154a053652f984df4d2fb76b2911344e32c518032ca9542d65481eba1c92cbb755d60eaf0066e644a48f3322565

Download Submit
C:\Windows\SysWOW64\HBDNF.dll

Filesize
16KB

MD5
a1804534b844e878c75e55e83dd7f037

SHA1
90f2d215490e5162307d3249fc5a5f0b732dcc51

SHA256
0d4e4d0705f181e759458e236b4baeff82bd7ab580e35e8c4b7e26d546d2fc5e

SHA512
78a3d58f8a3275f345beab8c5cd3f90dfaabdf8f322028868aa6e684807d7ede91da983f702902b35bfefa95532aad799cf497bf918fd9aba832e10623ae656f

Download Submit
\Windows\SysWOW64\System.exe

Filesize
7KB

MD5
d445e19123e5b9719a458f78c7b382a0

SHA1
b73bb14928b81893bdb9a86ff35776f7500359d0

SHA256
94d01e93f05c5599816a16560b1e6207b9830e4d30556c9cf3ec6a11ba826441

SHA512
239f02a2c8b47f904b65abbed74f1dfd7df5b678d8dca9803a5268f612a15796df08f9593932e78794e44b6e53a93768748c4704233eec2f79e3870d8aca5a51

Download Submit