Analysis
-
max time kernel
98s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 02:56
Behavioral task
behavioral1
Sample
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Resource
win10v2004-20240508-en
General
-
Target
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
-
Size
424KB
-
MD5
993609639c915d36f2821bad869a17d4
-
SHA1
899988523cc0bde90c28889a5e32b273757915ac
-
SHA256
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
-
SHA512
147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32
-
SSDEEP
6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe -
Executes dropped EXE 3 IoCs
Processes:
Hkbsse.exeHkbsse.exeHkbsse.exepid process 212 Hkbsse.exe 2228 Hkbsse.exe 4396 Hkbsse.exe -
Drops file in Windows directory 1 IoCs
Processes:
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exedescription pid process target process PID 1876 wrote to memory of 212 1876 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe Hkbsse.exe PID 1876 wrote to memory of 212 1876 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe Hkbsse.exe PID 1876 wrote to memory of 212 1876 fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe Hkbsse.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\124900551406Filesize
83KB
MD5863679fea89fe5064148bc7dd113de93
SHA1ceeecd921bce62446b0cf85cb2b3390a22258bc1
SHA256abbf97e114403d3f7c6182974083d2b8a2cc1ae53d1054de722ad2266ea3cab1
SHA512eba984bb7034cf39b8fbdaa55aa22e1a4c8f1b2b84fc8b91895ed551f2bbb497637b7af06564992ce450885302e00f7a9b23cb9f33ec53ac500c660c400e70f7
-
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exeFilesize
424KB
MD5993609639c915d36f2821bad869a17d4
SHA1899988523cc0bde90c28889a5e32b273757915ac
SHA256fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32