c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe
Size

56KB
MD5

066b327b839fff241826b3b66248ca99
SHA1

ba8e94cda3226a12a1213ce049c28bf320933c24
SHA256

c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4
SHA512

9c04422872588426d2619b22692d89bb3ba2d44fe8725e817c92e89992ef85ae80dd7a615700cdc21fbec757e1bfad1471c2139cfeb5d808b805f4f059c4a27c
SSDEEP

768:jxDDnyAiIbhn+oRTaFSxjquEDFAnA1tLRNk2djaYoCMHosOxECOsPNu:jxDDnd1Raqq2uBNdSCMxCV1u

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe

Executes dropped EXE 1 IoCs

pid	Process
4428	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4428	4384	c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe	80
PID 4384 wrote to memory of 4428	4384	c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe	80
PID 4384 wrote to memory of 4428	4384	c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe	80

C:\Users\Admin\AppData\Local\Temp\c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe
"C:\Users\Admin\AppData\Local\Temp\c8c9aca6b4b12ce0df5b2c43171828b354a20310973f0112dc19567fb787c6d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Executes dropped EXE
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
56KB

MD5
03ddd2453f95345ad73a36bb7b232e00

SHA1
6a54b8f7de07f8bb072ceee621e7259096295de7

SHA256
746a2766ba24c8f6e451cc88721c1741cc7fb7cdb5a912ed9610da03e7bb2986

SHA512
3acda57350f292394c0883061aff7d8c960cf54620bd78f359d30a96555895651b027882b12692e45939f0aa0215e70e20a89f749f7aebb510ecd163046fe15c

Download Submit
memory/4384-1-0x0000000001640000-0x0000000001644000-memory.dmp

Filesize
16KB

Download
memory/4428-9-0x0000000001050000-0x0000000001054000-memory.dmp

Filesize
16KB

Download