b4dd067baab3c4883813ea196c7064120a8660172c9f585ac1c1b46cbe46397b

General

Target

90a1852906977504a45e4a90f7c0c990N.exe
Size

32KB
MD5

90a1852906977504a45e4a90f7c0c990
SHA1

6a932e6cae279e5b09b82b0603cb3ad5253f4c3c
SHA256

b4dd067baab3c4883813ea196c7064120a8660172c9f585ac1c1b46cbe46397b
SHA512

6844f89ffbe8c60e9af60424da7a4eebc462f3f9acd71d22980e8e2375d6dd4fa3c6c125cbff60ff0ad9c4059165cc38cc1fa6a5376912562470a50f3d390060
SSDEEP

384:3p7WmcCWRLzENdloN1T8F0pEEuukSX3uo9vKZR38aLGZL+iELavQ2J+l4/1S:35oz2srIFLu3VvKP3K/5QO+uc

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

hhcbrnaff.exe

pid process

2092 hhcbrnaff.exe
Loads dropped DLL 1 IoCs

Processes:

90a1852906977504a45e4a90f7c0c990N.exe

pid process

2716 90a1852906977504a45e4a90f7c0c990N.exe

pid	process
2092	hhcbrnaff.exe

pid	process
2716	90a1852906977504a45e4a90f7c0c990N.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe	upx
behavioral1/memory/2716-10-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2092-12-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

90a1852906977504a45e4a90f7c0c990N.exehhcbrnaff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90a1852906977504a45e4a90f7c0c990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhcbrnaff.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

hhcbrnaff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	hhcbrnaff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	hhcbrnaff.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

90a1852906977504a45e4a90f7c0c990N.exe

description	pid	process	target process
PID 2716 wrote to memory of 2092	2716	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe
PID 2716 wrote to memory of 2092	2716	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe
PID 2716 wrote to memory of 2092	2716	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe
PID 2716 wrote to memory of 2092	2716	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe

C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe
"C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
Filesize
32KB

MD5
0f04e31f1f3fe0b58543d6bada8019e4

SHA1
d53e50828ab84ea9cfdd717c1be8584cb34ef120

SHA256
7b697493973d2a69f3f983e9be65976d5cbc3701c85b2c9e4c7c3cf4a52f86bf

SHA512
11a74c0ef495d8eaa233947408e4330069dfbf545a148a3b6d849d9043cb504a62af2bd83c7cbbbafbe0de4640d351667ae11454b0109df1703cb2e98d27204a

Download Submit
memory/2092-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2092-14-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2716-2-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2716-3-0x0000000002B70000-0x0000000002F70000-memory.dmp

Filesize
4.0MB

Download
memory/2716-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2716-8-0x0000000002B50000-0x0000000002B5C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads