Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 04:28
Behavioral task
behavioral1
Sample
90a1852906977504a45e4a90f7c0c990N.exe
Resource
win7-20240704-en
General
-
Target
90a1852906977504a45e4a90f7c0c990N.exe
-
Size
32KB
-
MD5
90a1852906977504a45e4a90f7c0c990
-
SHA1
6a932e6cae279e5b09b82b0603cb3ad5253f4c3c
-
SHA256
b4dd067baab3c4883813ea196c7064120a8660172c9f585ac1c1b46cbe46397b
-
SHA512
6844f89ffbe8c60e9af60424da7a4eebc462f3f9acd71d22980e8e2375d6dd4fa3c6c125cbff60ff0ad9c4059165cc38cc1fa6a5376912562470a50f3d390060
-
SSDEEP
384:3p7WmcCWRLzENdloN1T8F0pEEuukSX3uo9vKZR38aLGZL+iELavQ2J+l4/1S:35oz2srIFLu3VvKP3K/5QO+uc
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hhcbrnaff.exepid process 2092 hhcbrnaff.exe -
Loads dropped DLL 1 IoCs
Processes:
90a1852906977504a45e4a90f7c0c990N.exepid process 2716 90a1852906977504a45e4a90f7c0c990N.exe -
Processes:
resource yara_rule behavioral1/memory/2716-0-0x0000000000400000-0x000000000040C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe upx behavioral1/memory/2716-10-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/memory/2092-12-0x0000000000400000-0x000000000040C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
90a1852906977504a45e4a90f7c0c990N.exehhcbrnaff.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90a1852906977504a45e4a90f7c0c990N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhcbrnaff.exe -
Processes:
hhcbrnaff.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 hhcbrnaff.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 hhcbrnaff.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
90a1852906977504a45e4a90f7c0c990N.exedescription pid process target process PID 2716 wrote to memory of 2092 2716 90a1852906977504a45e4a90f7c0c990N.exe hhcbrnaff.exe PID 2716 wrote to memory of 2092 2716 90a1852906977504a45e4a90f7c0c990N.exe hhcbrnaff.exe PID 2716 wrote to memory of 2092 2716 90a1852906977504a45e4a90f7c0c990N.exe hhcbrnaff.exe PID 2716 wrote to memory of 2092 2716 90a1852906977504a45e4a90f7c0c990N.exe hhcbrnaff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe"C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exeFilesize
32KB
MD50f04e31f1f3fe0b58543d6bada8019e4
SHA1d53e50828ab84ea9cfdd717c1be8584cb34ef120
SHA2567b697493973d2a69f3f983e9be65976d5cbc3701c85b2c9e4c7c3cf4a52f86bf
SHA51211a74c0ef495d8eaa233947408e4330069dfbf545a148a3b6d849d9043cb504a62af2bd83c7cbbbafbe0de4640d351667ae11454b0109df1703cb2e98d27204a
-
memory/2092-12-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2092-14-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/2716-0-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2716-2-0x0000000002B60000-0x0000000002B61000-memory.dmpFilesize
4KB
-
memory/2716-3-0x0000000002B70000-0x0000000002F70000-memory.dmpFilesize
4.0MB
-
memory/2716-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2716-8-0x0000000002B50000-0x0000000002B5C000-memory.dmpFilesize
48KB