f288818a84f51fd0bb8dd3434d8068770c4c4a409c60f33fb359c4684142f141

Analysis

max time kernel
141s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HC2Setup.exe
Size

705KB
MD5

806dca899df99ac5859263f4b43df4e8
SHA1

f5e3b9b342a97ae94f3ebbf806284a9ffb1624f8
SHA256

f288818a84f51fd0bb8dd3434d8068770c4c4a409c60f33fb359c4684142f141
SHA512

1c39cfd467105a6d79f433b4737a48a41bf01993739b4e12def4bc72b523461f83d586a1e98f3db9ff5887887c50e19822b3359118f8fc7d73d7b31f6cbf1c44
SSDEEP

12288:4r3ZBIRP1jCmQTvnhes0K5slpeeKHnn2H77tmJaat9bNK2L/qWIkA3Yq:UZB29Hg0Kel0eKHn2Hmaa3pKYAoq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	HC2Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
2956	HyCam2.exe

Loads dropped DLL 3 IoCs

pid	Process
2956	HyCam2.exe
2956	HyCam2.exe
2956	HyCam2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2956	HyCam2.exe
2956	HyCam2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2956	432	HC2Setup.exe	88
PID 432 wrote to memory of 2956	432	HC2Setup.exe	88
PID 432 wrote to memory of 2956	432	HC2Setup.exe	88

C:\Users\Admin\AppData\Local\Temp\HC2Setup.exe
"C:\Users\Admin\AppData\Local\Temp\HC2Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe" -install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CamRes2.dll

Filesize
100KB

MD5
e39b90fda19b69f4a9e49556ded2b644

SHA1
8c74633c92b86a15583660a98bb21be1a82c58dd

SHA256
7e5dfab67aa732582ccaa4bd3192638575a7e9400ba36cae10370fabcac4bd8f

SHA512
6a9bcdb2ff2df4a1e6e348475bc4d466b85b214504220c4c33f0bf2fd45da8c58dc7a1fa816739e7e4a8aa22636887c5918b3f0ea8563598e165f7d77cb2b620

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HomePage.url

Filesize
82B

MD5
92b609d63452d6f46670ddb55f4cabf6

SHA1
f8924ca1578173795b5de4041c99fe69a1013552

SHA256
ae90f5cc0ca1194e999d1b7faf382cad743633876afd5cd0585896e17ec32310

SHA512
40102772b4133b41e339fc0dde66577c048f55f38d56770dd8ddc25f846053e55d6372bc9e6432edaa202927a16df62fcdf342529bb815c2923706ceadb0ac66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HyCam2.exe

Filesize
953KB

MD5
c9de7e9a3acd2897c3fd0b9c25e5faba

SHA1
c4ab1b882a3b141bf951883acd86b8ffc833cfcf

SHA256
f1a3eb73a42b3b47540587e538a7ce83783bade6b66872e63b50e6982782d8bb

SHA512
473e3aa89d4128492c5ace9e6dcfdca94aca3d1c02718574aec3579a8ebae43a816519aae047796fcab8c0d6428d30aba414f5773b5441be162cd3fb738a583e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MClick2.dll

Filesize
56KB

MD5
239ddea320d4d8e085ea32fd29421c07

SHA1
1f5203ec5801cfdfb291e43811ca3f4eccc19396

SHA256
a79144ae8318c11dd2c01771e4b362c7c9b75cf5dc6e80b201fe7ff73571f8b9

SHA512
29775ad72bba7a9a54c76bfc425aab5f3d2b8a354e12203b607f293c0165a7e5ba0c6d12008ae895d15ec62e5471fcd0a6a12eb3ddf8072ee04da9e571ad22cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\agreement.txt

Filesize
3KB

MD5
3a696e0ead7c02db271b77e2d93f41df

SHA1
9bd7244bc4380613aaa4b348901ddeb47ebd1ec3

SHA256
6ca4aa606732782a11e61a2ad62cb5250629b8cab96c14b964d7725a6c8ec5be

SHA512
0a764db8e05d5cc8de955de5e6b34dded4b408638f22a836e2a486effae960bb5f3e2de469d7024076d83d76eff185939cbe4305c55997934e937882b4a7ee03

Download Submit
memory/432-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2956-65-0x0000000002350000-0x000000000236A000-memory.dmp

Filesize
104KB

Download