b4dd067baab3c4883813ea196c7064120a8660172c9f585ac1c1b46cbe46397b

Analysis

max time kernel
109s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a1852906977504a45e4a90f7c0c990N.exe
Size

32KB
MD5

90a1852906977504a45e4a90f7c0c990
SHA1

6a932e6cae279e5b09b82b0603cb3ad5253f4c3c
SHA256

b4dd067baab3c4883813ea196c7064120a8660172c9f585ac1c1b46cbe46397b
SHA512

6844f89ffbe8c60e9af60424da7a4eebc462f3f9acd71d22980e8e2375d6dd4fa3c6c125cbff60ff0ad9c4059165cc38cc1fa6a5376912562470a50f3d390060
SSDEEP

384:3p7WmcCWRLzENdloN1T8F0pEEuukSX3uo9vKZR38aLGZL+iELavQ2J+l4/1S:35oz2srIFLu3VvKP3K/5QO+uc

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hhcbrnaff.exe90a1852906977504a45e4a90f7c0c990N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	hhcbrnaff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	90a1852906977504a45e4a90f7c0c990N.exe

Executes dropped EXE 1 IoCs

Processes:

hhcbrnaff.exe

pid process

4304 hhcbrnaff.exe

pid	process
4304	hhcbrnaff.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4940-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe	upx
behavioral2/memory/4304-11-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/4940-13-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral2/memory/4304-28-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

90a1852906977504a45e4a90f7c0c990N.exehhcbrnaff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90a1852906977504a45e4a90f7c0c990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhcbrnaff.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

90a1852906977504a45e4a90f7c0c990N.exe

description	pid	process	target process
PID 4940 wrote to memory of 4304	4940	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe
PID 4940 wrote to memory of 4304	4940	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe
PID 4940 wrote to memory of 4304	4940	90a1852906977504a45e4a90f7c0c990N.exe	hhcbrnaff.exe

C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe
"C:\Users\Admin\AppData\Local\Temp\90a1852906977504a45e4a90f7c0c990N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
"C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
32KB

MD5
0f04e31f1f3fe0b58543d6bada8019e4

SHA1
d53e50828ab84ea9cfdd717c1be8584cb34ef120

SHA256
7b697493973d2a69f3f983e9be65976d5cbc3701c85b2c9e4c7c3cf4a52f86bf

SHA512
11a74c0ef495d8eaa233947408e4330069dfbf545a148a3b6d849d9043cb504a62af2bd83c7cbbbafbe0de4640d351667ae11454b0109df1703cb2e98d27204a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhgnrddkjee.exe

Filesize
140B

MD5
ea8eef7d26ecc45b6a56c5ecdb494d42

SHA1
fd621efeb3a6649e0a7ed0a178fa51be3d5d7e1e

SHA256
1af29706d2a6b604a0e552114f17bb1789014da70e98d6cf05af542bafaca04f

SHA512
12aea78e33d411033ab3fb235f17013161d32c52c3a9b29e76c03dfe1c7ff97b39daadb9a02904923fb1fac0000a910dca2c692d949a8fa83620d09c0df62252

Download Submit
memory/4304-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4304-14-0x0000000002690000-0x0000000002A90000-memory.dmp

Filesize
4.0MB

Download
memory/4304-15-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/4304-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4940-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4940-1-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4940-3-0x0000000002780000-0x0000000002B80000-memory.dmp

Filesize
4.0MB

Download
memory/4940-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download