635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe
Size

98KB
MD5

bab87e3761d3cc3079799caa1a3639ef
SHA1

dcaf1cae0c2edd9754e7e5234a2b9947923628e5
SHA256

635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b
SHA512

0f7e2a6eb59587d0c456b20eec54ff8ae39329291f36383342db21584eead07ce28ce7b0c17422572d3ecc19c56815023395aa2aa1bad36daf71a1ed6f0bfd1e
SSDEEP

768:dxDDnyAiIbhn+oRTaFSxjORUh6EDFAnAL+7DUdjaYoCMHosadujaOnNP0mPefoCK:dxDDnd1RaqOrsdSCM+qvGDg1W+DQ6Ke

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral1/memory/952-0-0x0000000000400000-0x0000000000415000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b0000000141a2-4.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/952-8-0x0000000000400000-0x0000000000415000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2984-11-0x0000000000400000-0x0000000000415000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2984	hcbnaf.exe

Loads dropped DLL 1 IoCs

pid	Process
952	635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 2984	952	635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe	28
PID 952 wrote to memory of 2984	952	635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe	28
PID 952 wrote to memory of 2984	952	635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe	28
PID 952 wrote to memory of 2984	952	635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe	28

C:\Users\Admin\AppData\Local\Temp\635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe
"C:\Users\Admin\AppData\Local\Temp\635fdcbf5c3af871066c640ee1172b8847d4ab2f7fe081ae04012c27b24fb01b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
98KB

MD5
e287ca03bf650427539eeb01a5868446

SHA1
f2775c0a3ffd7fc662c16a9014161920290d8861

SHA256
6f2f6c6bb1639c4773c1a9a3bb5b3960e68543106852fd85fec5b1a07d675037

SHA512
e7f9c4a07b326ee5817717eb68f95f6bd9d77cf8a1f28e9d69c9a72af7aff85f850e2d68e80ca0f7fe949aaac01d981cceab8c5db712d41c9b96ece5a06380d4

Download Submit
memory/952-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/952-2-0x0000000000460000-0x0000000000464000-memory.dmp

Filesize
16KB

Download
memory/952-8-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-10-0x0000000000270000-0x0000000000274000-memory.dmp

Filesize
16KB

Download
memory/2984-11-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download