Analysis
-
max time kernel
113s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 12:11
Behavioral task
behavioral1
Sample
13e5872e9b7c47090e035dc228c5589f.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
13e5872e9b7c47090e035dc228c5589f.exe
Resource
win10v2004-20240508-en
General
-
Target
13e5872e9b7c47090e035dc228c5589f.exe
-
Size
424KB
-
MD5
13e5872e9b7c47090e035dc228c5589f
-
SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760
-
SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
-
SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
-
SSDEEP
6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
13e5872e9b7c47090e035dc228c5589f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 13e5872e9b7c47090e035dc228c5589f.exe -
Executes dropped EXE 3 IoCs
Processes:
Hkbsse.exeHkbsse.exeHkbsse.exepid process 4200 Hkbsse.exe 936 Hkbsse.exe 3436 Hkbsse.exe -
Drops file in Windows directory 1 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job 13e5872e9b7c47090e035dc228c5589f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
13e5872e9b7c47090e035dc228c5589f.exedescription pid process target process PID 1976 wrote to memory of 4200 1976 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe PID 1976 wrote to memory of 4200 1976 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe PID 1976 wrote to memory of 4200 1976 13e5872e9b7c47090e035dc228c5589f.exe Hkbsse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13e5872e9b7c47090e035dc228c5589f.exe"C:\Users\Admin\AppData\Local\Temp\13e5872e9b7c47090e035dc228c5589f.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"2⤵
- Executes dropped EXE
PID:4200
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:936
-
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe1⤵
- Executes dropped EXE
PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5f3bc35eaaa043b5f0001cf94e7c03381
SHA1ffcea59daaf2df8cddb3e32d15dc0eee0cf66e13
SHA2567c4650e899a24b149bc06be2b1345fdf46e425472c3d60971e2b4d268f97a9e2
SHA5123345316da22a24a8268a11a7b23319b3717194fe08943f4dcfccfa1630bd676532b1d1663d582491d04aaee1c2547292d15a9f8d37aa8619a5c08f2872b957b1
-
Filesize
424KB
MD513e5872e9b7c47090e035dc228c5589f
SHA1c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e