b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4

Analysis

max time kernel
153s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe
Size

33KB
MD5

955384cc707a24848c2850b60a5aa1c9
SHA1

39d10a1b30e5526194ca1ef5b9ae40a8f57508d8
SHA256

b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4
SHA512

7602d32dd2c3ee7306c061fc049e1f1ae5cbdfc798ca07547714b6523d02b4992fd197d00333cf1db7e7ec654e9f20fb924b9194e0dc94ae4b6e545928fbade1
SSDEEP

768:U5ZFhzgxucryOmJQqO3VhDWiNlW+O96QhlqNU9jeT:U57mucrFmJQqO3VhDWiC+i6QnjeT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe

Executes dropped EXE 1 IoCs

pid	Process
928	hhcbrnaff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 928	320	b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe	88
PID 320 wrote to memory of 928	320	b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe	88
PID 320 wrote to memory of 928	320	b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe	88

C:\Users\Admin\AppData\Local\Temp\b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe
"C:\Users\Admin\AppData\Local\Temp\b48e9691e40d7eaa4617b556a90148fd9fd603fe50657e83fdf89f33a20430d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
33KB

MD5
57169b26c8b344aa9160f578ebcff605

SHA1
95578817098544c692c2ca0362db70b11e4c2775

SHA256
a94fa33ed807742c0514c9bcbdf61fa9e9146c84bb417f09fde5cc22d8e8e998

SHA512
3ce7c106fb404d6038b992f019ed9badced565402509a9e06d5878bde97d275571d940c08a63879c174c60bb87207be5f89516b42d050fa136d65c80980e5ec8

Download Submit
memory/320-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/320-2-0x0000000000A70000-0x0000000000A76000-memory.dmp

Filesize
24KB

Download
memory/320-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/928-11-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download