ab83ca600e38a8481fa0c4a9bd9d0c228840d3b6110b73b5591a58a9a538ec46

Analysis

max time kernel
103s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 15:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26c2e1ba96da0c2750e8e7123eb524b0N.exe
Size

52KB
MD5

26c2e1ba96da0c2750e8e7123eb524b0
SHA1

6905332cc1d39b61e0543b881d2b2c9d6e9eda3c
SHA256

ab83ca600e38a8481fa0c4a9bd9d0c228840d3b6110b73b5591a58a9a538ec46
SHA512

32fe0ff6fb74594610dc814db045a6cfa8823b104969c5077bd69dd822f7722d9e7d61f6a856fd9463fd2a0a9e9206823c4e5eb32df345c6681aa623db062ac5
SSDEEP

768:2PitRNEGtXXnZ/JudBDtcUtdVCxVOS3fNGq5xgBti:RF3wDtkx3P5xsi

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	26c2e1ba96da0c2750e8e7123eb524b0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	hcbnaf.exe

Executes dropped EXE 1 IoCs

pid	Process
4220	hcbnaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26c2e1ba96da0c2750e8e7123eb524b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcbnaf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4220	3048	26c2e1ba96da0c2750e8e7123eb524b0N.exe	85
PID 3048 wrote to memory of 4220	3048	26c2e1ba96da0c2750e8e7123eb524b0N.exe	85
PID 3048 wrote to memory of 4220	3048	26c2e1ba96da0c2750e8e7123eb524b0N.exe	85

C:\Users\Admin\AppData\Local\Temp\26c2e1ba96da0c2750e8e7123eb524b0N.exe
"C:\Users\Admin\AppData\Local\Temp\26c2e1ba96da0c2750e8e7123eb524b0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe
  "C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe

Filesize
52KB

MD5
159449e8915fa8bff689d39e1d0390a8

SHA1
e8cbd0959e9954caacb938bec9b0694442a266f7

SHA256
d9e2a568343ab0aeb6d03a5e57387379263934288a0b986846f7fe86824c1937

SHA512
81fa43ca1c3f58815f6d53216770e6e0d74b7051d9b3184a6fd2ac852e1f9b537e2e0c572380ccd1d8155a5ff18c4643358bd64d343a155580fcb48f54bb7c16

Download Submit
memory/3048-1-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

Filesize
20KB

Download
memory/4220-9-0x0000000000F70000-0x0000000000F75000-memory.dmp

Filesize
20KB

Download