716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8

Analysis

max time kernel
155s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
Size

396KB
MD5

1c4ce184213ebdd5094ed966afc6fae0
SHA1

41c1c7d31dca1455232cf126c8c52894f0b7563f
SHA256

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8
SHA512

bbe7b01c9b402d086ffa524b69404f7293d3f2a08f7d649d6bc9bab5556531da376778adb8fcbbea408703d31a6515f3100d13c924eba0113068bd1ee5fa89d2
SSDEEP

6144:4jlYKRF/LReWAsUyJq5r3PWSAR0DkNVn0bcmF:4jauDReWeFPa90b

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hfbwae.exe

pid process

4984 hfbwae.exe

pid	process
4984	hfbwae.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hfbwae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\hfbwae.exe"	hfbwae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe

description	pid	process	target process
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe
PID 628 wrote to memory of 4984	628	716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe	hfbwae.exe

C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe
"C:\Users\Admin\AppData\Local\Temp\716cac9e75b8dcf36afe59724420d81f52ccb363346769d93ec7eeeb14ddbba8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\ProgramData\hfbwae.exe
"C:\ProgramData\hfbwae.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp .exe
Filesize
396KB

MD5
846b5f1db2f55719ef29f38b5af81222

SHA1
9d5d0e3ea093dc7d951e9131708375a29a85633c

SHA256
d3327d907f2366c58c1fb8eea751f2bc8086358e2579b056ca8ba68c092a4872

SHA512
49cb5d02623920310f1e3ffa25da1afa16768d5038c769fdbfc3a12ee35b6706e3feb301e9e2ab30a23424547f35efe6abf690281d3a464439e6d5a4bf13cced

Download Submit
C:\ProgramData\Saaaalamm\Mira.h
Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\hfbwae.exe
Filesize
259KB

MD5
b9b1a11f4914e8787d811317997fa6bb

SHA1
435f76a02c445cba1975314b21fa5b4664b548c4

SHA256
d7ac8c1204527a1ec8df0bcf6b632189e8e79a9ccc54221c683dacece7ed4c53

SHA512
caf0efb9d2f7f301da5e47025b56b4e6b902c4b950db86253298a669bc1766806195d0c7aaa3b89f288fa0e42ac6242a8def101a7d77d0647f2c3e82810fc5dd

Download Submit
memory/628-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/628-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/628-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4984-103-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4984-1418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download