ef967e92be5148ec9628ae428460931f172665a85b6ed16a806b470be61f2775

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HostMonitor.exe
Size

15.8MB
MD5

e3e3d7e5feacf6cc05f272f924c945dd
SHA1

d549e1e7fb0f0d81eb2cc02661bb44f7ea7784d3
SHA256

ca9bc3585c5686b9a0dda703bb9c4072b7d2c86a00ac09efa35f8d634d608548
SHA512

0578c71e09601c70bfb4495fd81b23976352b56db0e170675bb3d32a340b8f08641431261635cad3e5ab2daad5d82d426a1b69d7541e4632f1b87dcc5fe1e5fd
SSDEEP

393216:U+Mdn+tCw00suCsfN+Mw0na/FHn1TqmlIdb7u7S4XkMkAH:U+m+tCPuBc0naNHnwm2Pu7zXH

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	HostMonitor.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2220	4512	HostMonitor.exe	89
PID 4512 wrote to memory of 2220	4512	HostMonitor.exe	89
PID 4512 wrote to memory of 2220	4512	HostMonitor.exe	89

C:\Users\Admin\AppData\Local\Temp\HostMonitor.exe
"C:\Users\Admin\AppData\Local\Temp\HostMonitor.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
959KB

MD5
01693f3abb53c4e5ca8f4b217e487fe6

SHA1
d183ba2b838e92cd7e11bbcea86333763644b1bd

SHA256
8d7016e02ebb27f1d19c47754dcd71ed6623650ad3b6a3eaf35b9cbcabf1e164

SHA512
3be2b34aa8cc0b2ed300509c4216775bbd7f475b3016341956992d490b403bf30c9d22802bab16bb04d6eab36a7aced1a60dd6c740f89ec36fb242bec91d87c8

Download Submit
memory/2220-311-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2220-314-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2220-317-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4512-312-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download