58d87b46368bb7bf0181784e1c3adf3e39cf33f563b8ab0d3b44254ed3586f2a

Analysis

max time kernel
98s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Size

424KB
MD5

993609639c915d36f2821bad869a17d4
SHA1

899988523cc0bde90c28889a5e32b273757915ac
SHA256

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7
SHA512

147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32
SSDEEP

6144:6O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHU:axBuBTExX+AoLzTUKdvST/BoKupOjHz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

Executes dropped EXE 3 IoCs

Processes:

Hkbsse.exeHkbsse.exeHkbsse.exe

pid process

212 Hkbsse.exe
2228 Hkbsse.exe
4396 Hkbsse.exe
Drops file in Windows directory 1 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
212	Hkbsse.exe
2228	Hkbsse.exe
4396	Hkbsse.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe

description	pid	process	target process
PID 1876 wrote to memory of 212	1876	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 1876 wrote to memory of 212	1876	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe
PID 1876 wrote to memory of 212	1876	fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe	Hkbsse.exe

C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe
"C:\Users\Admin\AppData\Local\Temp\fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
2⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\124900551406
Filesize
83KB

MD5
863679fea89fe5064148bc7dd113de93

SHA1
ceeecd921bce62446b0cf85cb2b3390a22258bc1

SHA256
abbf97e114403d3f7c6182974083d2b8a2cc1ae53d1054de722ad2266ea3cab1

SHA512
eba984bb7034cf39b8fbdaa55aa22e1a4c8f1b2b84fc8b91895ed551f2bbb497637b7af06564992ce450885302e00f7a9b23cb9f33ec53ac500c660c400e70f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\263c5c4d73\Hkbsse.exe
Filesize
424KB

MD5
993609639c915d36f2821bad869a17d4

SHA1
899988523cc0bde90c28889a5e32b273757915ac

SHA256
fa6aa0dd992228ace8364ddfe1df64c539ee82217fe36710e5882f62dc9868d7

SHA512
147b9272265b9a5edea8b1f54b37dd95e8380ba461233bb476612ff48016ae752b2cbfa31d3bf87a6f404469eae6c90392c652f19720b4531b78e648b7b58f32

Download Submit