b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 01:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe
Size

14KB
MD5

556ce9aab5f855e56a473c50ec4bf7fa
SHA1

2ee3f7d4c959e0eb5b07ed18534f6dd2efb6c367
SHA256

b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa
SHA512

8a83d5ee14842bc723ef73b616c2782e776d68827e23a1d56b6f3e395ad1b6a105e625c349bfb1df53a82b0034c4f2a27557b30237d985fddc37a6c40708b45f
SSDEEP

192:mBPYt5JQWRRsdP5VoAnG/W0E5nVP0R+l6CenX49+aRjn:mBoJQWRRs95VlYle0ITOXil

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2284	henis.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe
2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2284	2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe	28
PID 2268 wrote to memory of 2284	2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe	28
PID 2268 wrote to memory of 2284	2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe	28
PID 2268 wrote to memory of 2284	2268	b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe	28

C:\Users\Admin\AppData\Local\Temp\b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe
"C:\Users\Admin\AppData\Local\Temp\b6d50f936f75a0ee5fbecfc6e5794aa9d1a912baaaf400f169e46580dabe47fa.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\henis.exe
  "C:\Users\Admin\AppData\Local\Temp\henis.exe"
  2⤵
  - Executes dropped EXE
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\henis.exe

Filesize
14KB

MD5
0bec4ff8bd86dc426ed008ebaf98e744

SHA1
dc4487e95194b705b637c31fa5a442ae3bf83530

SHA256
c31e72e462ab9a142745083945959b87bb6e22e96c6f1781e021e8e2ff2b27d4

SHA512
a81cd1a139af8c8efb3a0ba5a0ac78a9804c1352696c5010dbd5e7429b2c72fee982343d9bf021e05a141669022e568c8e3db60a15de3486060d283d73aa8be5

Download Submit