fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe
Size

284KB
MD5

1c083559ae757b8bc7e1b71d628080f7
SHA1

5a43db9d579c7684788472bc1282474c9386d2e6
SHA256

fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008
SHA512

a78136baeadf4eba2fdefb8b3471c5896bd1275bf9f32f378f585d3ff8d64e6a0eed5fd20f7e76e39233dbcbdf02494672822ee15b3fc0442843f2e45f84ce53
SSDEEP

6144:2ZibQcmlVD+BgotLvTtehd1wLIE92FJ1wZycpaiTV:20q+BgotLvTtehd1wd92FJ1yV

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe

Executes dropped EXE 1 IoCs

pid	Process
3340	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3340	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	98
PID 3856 wrote to memory of 3340	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	98
PID 3856 wrote to memory of 3340	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	98
PID 3856 wrote to memory of 180	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	99
PID 3856 wrote to memory of 180	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	99
PID 3856 wrote to memory of 180	3856	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	99

C:\Users\Admin\AppData\Local\Temp\fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe
"C:\Users\Admin\AppData\Local\Temp\fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=3112,i,1786399861560734457,5606877702857066305,262144 --variations-seed-version /prefetch:8
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a2de452e45db47c817b5ada178bd2e83

SHA1
44b16b5c0e400a2af95299d0c08a6a4fda14bc4c

SHA256
516ba3f510ebfd821b47f63ac2c47faa15d5f2ba8732c79c0265fa8aa3ad8fd4

SHA512
8799d95d502764a4266c37c1c5fbb24fb9ab94983310962deafd5e246c5900993dffb2c2b06ab6709cc4141aab3346a9cf65b2a62744dbf11c7d381af654be85

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
284KB

MD5
ed3e9b1f154535410c10a6aabcede8c2

SHA1
b6316ea04b7eba1ad4484b4bba1bb10d3b6d9c3b

SHA256
59868be5c9b769021924d37a0c31d51643463bdf90d6d7d2de6f6e39604a700d

SHA512
efdbeb8be15a95d71db7ffa281b9f4785082fbb8ef3cc1e67990c5fc99e9e02b2fe5ca01eb32cbcb161a1f8ac1b9a1c81affd1157157da79ac5bc3fbacaf12bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
7f000adfb7d130c1d0b7fffe89f8d915

SHA1
4ce2cd609f53d8dbc33df1fd6f99ad64d90438f4

SHA256
93d55e40be36c82c6c2ee541c5f2c7f9b1c7cfed9cce8e608845799d4ba1bc5d

SHA512
5a6fe4b8184069df2dc409a3068301ce5024935f7ae91cafffae8901254af463dd2f92536f3871c9ebb314bf2903004ab02089bc084fe16a19734e7c6a2a222a

Download Submit