cace62e27e7d885f99451634a29f085c5e77c20c820fdfd4cb60ae5b33379be0

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hbdzt.exe
Size

1.6MB
MD5

44100d32830cca151fc30283260b8b67
SHA1

f6ee54eb547ea0e0a3f944e2f0691ba7e8ccbd1c
SHA256

24e2d7c6fe132f666c950b6192b342322a25188201253ebca3706681fb7b7392
SHA512

17f9bc344d3a2246bd53b3a2e2774594f6302b3bc7964d2b10d5fd8985dc3b9db750b39bf0c065289a5a15b20f16e196480fb03450173a1c823ba57d4dfc26f9
SSDEEP

24576:PJb5ta7ShseSshw9C0nsFpiu/vvWNKJ0Wkah5UZEGTDo9sLkDo6M2HsWJuhcJFHJ:xbTaSh0nEpWNJW/MZJ56McY8hwew

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3320	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hbdzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3320	irsetup.exe
3320	irsetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 3320	1688	hbdzt.exe	85
PID 1688 wrote to memory of 3320	1688	hbdzt.exe	85
PID 1688 wrote to memory of 3320	1688	hbdzt.exe	85

C:\Users\Admin\AppData\Local\Temp\hbdzt.exe
"C:\Users\Admin\AppData\Local\Temp\hbdzt.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\irsetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IRIMG1.BMP

Filesize
51KB

MD5
ff439d8a48231281a5b95d703c168fe7

SHA1
76094b5540f187bc730fb9ce8265c5d5fd74d4e9

SHA256
403b2c886bf9895534a5ebe14894d64f80ec1f10d01c04480ba68a4b10870067

SHA512
ea3c9ff9f2fb64e271b6b0dcd13db4e70d3e5b71b7d6302692bc46586edb33cb6aacb9c9548f00c17d1b063c430c4fd2807afcf39fbe50d358c89e19c6955d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG2.BMP

Filesize
7KB

MD5
95145f4cead2c4bd2ec219bc87d83f1d

SHA1
5eec034dfc7d9a6d93c21f38dfe2405c8968f6ed

SHA256
0542cb1d3e6b50f78dc63ea1abec6c518cfd4ea203649df3ef3834309ea66cad

SHA512
081d9cfa0bc46a54fcf03a62e5663282d27f56e20fbeafba2833d6267de285a354915c661dd67a3217f4dc2330c7f49babf8b24a5a68ba5a014f5e1e297cc5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IRIMG3.BMP

Filesize
7KB

MD5
e29a24e189e95681bb41f73c16747fd8

SHA1
e9269bb9cb6f2b700fc78f92066f31b15a9c5c2a

SHA256
3973d354045be781eabf9114772fe2e5e96d1e557793de10c914d901b16e8c09

SHA512
4c6db25e04acb8349da29249f712b20c217d792e6d5fd40af9b398e2617d5168ef0afc2505a05b0833b90165d5e5eaf2e98d1821e855a99fc7833de52154ad94

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.dat

Filesize
7KB

MD5
25074f89f8ef5dc3465a25590b6f03b1

SHA1
6b5e7ee29eb5c3e6b7b2af4ce0c2b27e81b171f6

SHA256
d0c91ce7d8acbc213f54cebfe87d24e146c00e9b3540fb0f9f115c5bf5c2d500

SHA512
4f80bbbeaece13cd4ed78097a36c3ebd598c0350dd5e69d9bca8f83b76542d9a38bd58c951d1c62ffacda41be86fa2b423f6e3b1f9a20dad779322eb5ec44169

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.exe

Filesize
704KB

MD5
6f20d65c5af232700ddf7b3206d9c870

SHA1
527a7e3525dd9b0f3f6e0d508702e6816311b255

SHA256
593ad36de23204385eeadfe318972c2e9f01275e59fd00342ad5892be0b2c6b0

SHA512
3f038a87dc644994c68b1c2596aa499fc128a18bcab74766c81ea2bc6d5a86511a810af2700e87bfe85b28fe792a51795b4014a2145c01b122ca869a577538e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\irsetup.ini

Filesize
78B

MD5
3ecc1d743049135eeaff41cbd9895867

SHA1
833d6226e88bd7a4190a1563afd913bee8c69b7a

SHA256
c3c9d98a92a3ae3ade084e7c8a0f065830cd69de7594ddc573894419d7af1dba

SHA512
fba1fc5a3948c615eaaa12497277aeefd1270b2969f28c705d64d647f7afa94aed07fc3156d931e9279b45798ce1828c825b1bbeae4b00245a0a23372d3fdfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\suf6lng.4

Filesize
12KB

MD5
5930543afe37917c8e447635310009d5

SHA1
b012ad5d21489c97e2fdb27728e808200fceef07

SHA256
a084e98c6807381e118d47c1c65c591361f4159d87b3b4386ed347ca60c890a5

SHA512
073080d3233d21936fc8ddafd06bcde8eb15913577b1a7015cbdb3a8af13c7678e65f1afa2036e2fb59eebec55f8fbf025958d8490d13dea05a093534a4aff9b

Download Submit