Malware Analysis Report

2024-09-11 10:28

Sample ID 240615-zemhvaxcpm
Target fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA256 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
Tags
amadey b2c2c1 trojan 94bf1c
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

Threat Level: Known bad

The file fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7 was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan 94bf1c

Amadey family

Amadey

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 20:37

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 20:37

Reported

2024-06-15 20:40

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"

Signatures

Amadey

trojan amadey

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe N/A
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
PID 2488 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
PID 2488 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
PID 1756 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
PID 1756 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
PID 1756 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe
PID 1600 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 1600 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 1600 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4052,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1176

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1600 -ip 1600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1356

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 440

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
DE 185.172.128.116:80 185.172.128.116 tcp
DE 185.172.128.116:80 185.172.128.116 tcp
US 8.8.8.8:53 116.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp
CO 201.184.36.53:80 jkshb.su tcp
CO 201.184.36.53:80 jkshb.su tcp
CO 201.184.36.53:80 jkshb.su tcp
US 8.8.8.8:53 53.36.184.201.in-addr.arpa udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

MD5 993609639c915d36f2821bad869a17d4
SHA1 899988523cc0bde90c28889a5e32b273757915ac
SHA256 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512 147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

C:\Users\Admin\AppData\Local\Temp\665033694144

MD5 691318855dff11dde98cf8254fbbbd6c
SHA1 cad7875170b29992449444e839f2c14188714662
SHA256 df47d029fa8eac177f8a36e5cf15a7027edcd27719ca871717de38275844c624
SHA512 aad366f8e94d2ea2789ea9cea1e4b4b5636b8829b4f765bbac4e476fcefc8a5b5bc69025b8ba74f93691312149c80bfebd4d58a01639ed05304d97a4eb009d8a

C:\Users\Admin\AppData\Local\Temp\1000001001\b2c2c1.exe

MD5 f8ec725e4b969f157fd70166e73a56a3
SHA1 8bc092817245f2727154454e0011a8d6704e2eb7
SHA256 eb74efaf4832a80809815051fc97704819fbc4b1d57f07faf39746a02ed1dd10
SHA512 7dc3acb485263fd616ea84999a897f0e298f21485a34457697c523a095083d7de599b3cfc4bc3d45a5d36bc374a3a5e8778646dfa97c447d4be710021678e040

memory/1600-39-0x0000000000670000-0x0000000000770000-memory.dmp

memory/1600-41-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1600-40-0x0000000002110000-0x000000000217B000-memory.dmp

memory/1600-57-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1600-56-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4456-74-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1560-81-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4600-91-0x0000000000400000-0x0000000000481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 20:37

Reported

2024-06-15 20:40

Platform

win11-20240419-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Hkbsse.job C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
PID 2464 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
PID 2464 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

Network

Country Destination Domain Proto
DE 185.172.128.116:80 tcp
DE 185.172.128.116:80 tcp
DE 185.172.128.116:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe

MD5 993609639c915d36f2821bad869a17d4
SHA1 899988523cc0bde90c28889a5e32b273757915ac
SHA256 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512 147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

C:\Users\Admin\AppData\Local\Temp\474490143322

MD5 acce2430c1d878f30d3a1cfdb3131055
SHA1 0e3d8650332569d77c678f5a2ba7ca06abd7c16a
SHA256 cee14ea03b6c9aba8364097dc20a265695490273845ba12c37bcda258a4fefdf
SHA512 82c92b409b62ae0fb33fb94d5ba155c96d8d66e6b07ff723510ff420df214770503aa27e4caa8830a912bad1a6c2a3c952122e4861d1f927b38ea5cc39a0b01f