edc2569ca00fba2e64ff7727b64b3cdf7182f9a37226f190aeb57a755f225ede

Resubmissions

19-04-2024 22:03

240419-1yfp3she5x 10

19-04-2024 18:14

240419-wvbvhabf45 7

Analysis

max time kernel
8s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hacn.exe
Size

12.3MB
MD5

0b6cd2cf55fadd40218d09b5617022f3
SHA1

f33ce545bf7d07c84755cea6151b44ca17889a70
SHA256

edc2569ca00fba2e64ff7727b64b3cdf7182f9a37226f190aeb57a755f225ede
SHA512

d45ee80d7d17c62257a117de22b647317a728ac716d3193af539944e985055735ce5a6444f08f49a15a0dd397d1557e830129b810b703dc508d3a7ed9a7e6d96
SSDEEP

196608:ehHHDfyGowBdnpkYRMZuYcISpZUUvExfiYvq7IsBfW023p0R6iM9j:2DfDoc64YcIyZU0E9dufW0ayRI9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s.exemain.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	main.exe

Executes dropped EXE 4 IoCs

Processes:

s.exemain.exesetup.exeUpdate.exe

pid process

5000 s.exe
2556 main.exe
1336 setup.exe
1612 Update.exe
Loads dropped DLL 4 IoCs

Processes:

hacn.exemain.exeUpdate.exe

pid process

4308 hacn.exe
4308 hacn.exe
2556 main.exe
1612 Update.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

31 raw.githubusercontent.com
32 raw.githubusercontent.com
40 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4108 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3548 tasklist.exe

pid	process
5000	s.exe
2556	main.exe
1336	setup.exe
1612	Update.exe

pid	process
4308	hacn.exe
4308	hacn.exe
2556	main.exe
1612	Update.exe

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com
40	raw.githubusercontent.com

flow	ioc
23	ip-api.com

pid	process
4108	timeout.exe

pid	process
3548	tasklist.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

main.exeUpdate.exe

pid	process
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
2556	main.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe
1612	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

main.exetasklist.exeUpdate.exe

description pid process

Token: SeDebugPrivilege 2556 main.exe
Token: SeDebugPrivilege 3548 tasklist.exe
Token: SeDebugPrivilege 1612 Update.exe

description	pid	process
Token: SeDebugPrivilege	2556	main.exe
Token: SeDebugPrivilege	3548	tasklist.exe
Token: SeDebugPrivilege	1612	Update.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

hacn.exehacn.execmd.exes.exemain.execmd.exe

description	pid	process	target process
PID 3172 wrote to memory of 4308	3172	hacn.exe	hacn.exe
PID 3172 wrote to memory of 4308	3172	hacn.exe	hacn.exe
PID 4308 wrote to memory of 724	4308	hacn.exe	cmd.exe
PID 4308 wrote to memory of 724	4308	hacn.exe	cmd.exe
PID 724 wrote to memory of 5000	724	cmd.exe	s.exe
PID 724 wrote to memory of 5000	724	cmd.exe	s.exe
PID 724 wrote to memory of 5000	724	cmd.exe	s.exe
PID 5000 wrote to memory of 2556	5000	s.exe	main.exe
PID 5000 wrote to memory of 2556	5000	s.exe	main.exe
PID 5000 wrote to memory of 1336	5000	s.exe	setup.exe
PID 5000 wrote to memory of 1336	5000	s.exe	setup.exe
PID 2556 wrote to memory of 2948	2556	main.exe	cmd.exe
PID 2556 wrote to memory of 2948	2556	main.exe	cmd.exe
PID 2948 wrote to memory of 3548	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 3548	2948	cmd.exe	tasklist.exe
PID 2948 wrote to memory of 4316	2948	cmd.exe	find.exe
PID 2948 wrote to memory of 4316	2948	cmd.exe	find.exe
PID 2948 wrote to memory of 4108	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 4108	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 1612	2948	cmd.exe	Update.exe
PID 2948 wrote to memory of 1612	2948	cmd.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\hacn.exe
"C:\Users\Admin\AppData\Local\Temp\hacn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\hacn.exe
  "C:\Users\Admin\AppData\Local\Temp\hacn.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI31722\s.exe -pbeznogym
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31722\s.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31722\s.exe -pbeznogym
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp4AC4.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp4AC4.tmp.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2556"
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\system32\find.exe
        
        find ":"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        5⤵
        Executes dropped EXE
        
        PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\main.exe

Filesize
5.6MB

MD5
5df3e2c717f267899f37ec6e8fc7f47a

SHA1
5e980079f67215bf69b8c1c16b56f40bf4a29958

SHA256
e3f5c557ece7ec27cb7e4a26482eadf0d9065065d94b2919f9b881bc74800e6e

SHA512
8cef1184120e010421d69fcf271822b3f0b45e34a1565152a3f2decb8f500d0e69de9816d9075683fcfb0f431713f3fbc42ac2d87503cdcdde125aba3fa1635d

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\s.exe

Filesize
7.3MB

MD5
69844fa00a57dfbedf6ad10016734a5a

SHA1
1e3d266530daf49ee01a9026ab518b11af8ef1ae

SHA256
067d544437c847ada035f5cadbe8b75554aaa7dad6cbfdfbfa83a302b63a647e

SHA512
fde734bb418552fcc8e318fa5ff4156d233fb43bfd2997c2f1eb9b9f4f109a3824f992dbff107765f4eec780008884de26b04e8e02a08dad337ace9aa230fc81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31722\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4AC4.tmp.bat

Filesize
256B

MD5
1e81286680725fc54db92991a77e7820

SHA1
3df92437eb2b436e697ef338243bd523ff7e28d5

SHA256
e5ebccb197c11df121cf3e9ee056c9b0078c2a912686c721550a045f2e6e1789

SHA512
0b622d72269ab46d0d4671af973ecfc4a824ead62d33a072b4801d92f7f425203a253dd7fb0f7cc1326ac891bf4cee2006aa50f85fc51ff420caddff3fd5ab78

Download Submit
memory/1612-68-0x00000288D2D40000-0x00000288D2D50000-memory.dmp

Filesize
64KB

Download
memory/1612-65-0x00007FF9725E0000-0x00007FF9730A1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-46-0x00000185DE730000-0x00000185DECD0000-memory.dmp

Filesize
5.6MB

Download
memory/2556-56-0x00000185DF100000-0x00000185DF11E000-memory.dmp

Filesize
120KB

Download
memory/2556-60-0x00007FF9725E0000-0x00007FF9730A1000-memory.dmp

Filesize
10.8MB

Download
memory/2556-55-0x00000185E0BC0000-0x00000185E0BD0000-memory.dmp

Filesize
64KB

Download
memory/2556-54-0x00000185E0A90000-0x00000185E0B06000-memory.dmp

Filesize
472KB

Download
memory/2556-49-0x00007FF9725E0000-0x00007FF9730A1000-memory.dmp

Filesize
10.8MB

Download