716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
Size

396KB
MD5

1c4ce184213ebdd5094ed966afc6fae0
SHA1

41c1c7d31dca1455232cf126c8c52894f0b7563f
SHA256

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8
SHA512

bbe7b01c9b402d086ffa524b69404f7293d3f2a08f7d649d6bc9bab5556531da376778adb8fcbbea408703d31a6515f3100d13c924eba0113068bd1ee5fa89d2
SSDEEP

6144:4jlYKRF/LReWAsUyJq5r3PWSAR0DkNVn0bcmF:4jauDReWeFPa90b

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hfbwae.exe

pid process

4984 hfbwae.exe

pid	process
4984	hfbwae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hfbwae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\hfbwae.exe"	hfbwae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe

description	pid	process	target process
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe

C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
"C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\ProgramData\hfbwae.exe
"C:\ProgramData\hfbwae.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe

Filesize
396KB

MD5
846b5f1db2f55719ef29f38b5af81222

SHA1
9d5d0e3ea093dc7d951e9131708375a29a85633c

SHA256
d3327d907f2366c58c1fb8eea751f2bc8086358e2579b056ca8ba68c092a4872

SHA512
49cb5d02623920310f1e3ffa25da1afa16768d5038c769fdbfc3a12ee35b6706e3feb301e9e2ab30a23424547f35efe6abf690281d3a464439e6d5a4bf13cced

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\hfbwae.exe

Filesize
259KB

MD5
b9b1a11f4914e8787d811317997fa6bb

SHA1
435f76a02c445cba1975314b21fa5b4664b548c4

SHA256
d7ac8c1204527a1ec8df0bcf6b632189e8e79a9ccc54221c683dacece7ed4c53

SHA512
caf0efb9d2f7f301da5e47025b56b4e6b902c4b950db86253298a669bc1766806195d0c7aaa3b89f288fa0e42ac6242a8def101a7d77d0647f2c3e82810fc5dd

Download Submit
memory/628-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/628-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/628-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4984-1418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download