a6f07a85295ee5e1c6ec2cd9e304c783353c308083b19baa86f36d08de31b815

Analysis

max time kernel
110s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ef87f70a4874bf1c93c1b6ed54f9760N.exe
Size

31KB
MD5

3ef87f70a4874bf1c93c1b6ed54f9760
SHA1

fd0b82926bd618ca16f6aef685239fb6805be8dd
SHA256

a6f07a85295ee5e1c6ec2cd9e304c783353c308083b19baa86f36d08de31b815
SHA512

22f6e10e08fc4b6fa4728ee9e4a39281f0e224ec4425171fe6f05e451b9b40f56a8837726337953f585e78abbad3c16db84832d7f10c7f4e84c3dd64056cec45
SSDEEP

768:ZFnGJaxmc2+UuKVlgUoLbr7gtdgI2MyzNtRQtONlIwoHNV2XBFV72B4lA7PsEZ+b:3ytdgI2MyzNtRQtONlIwoHNV2XBFV72M

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2804	hhcbrnaff.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	3ef87f70a4874bf1c93c1b6ed54f9760N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ef87f70a4874bf1c93c1b6ed54f9760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhcbrnaff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2804	1712	3ef87f70a4874bf1c93c1b6ed54f9760N.exe	29
PID 1712 wrote to memory of 2804	1712	3ef87f70a4874bf1c93c1b6ed54f9760N.exe	29
PID 1712 wrote to memory of 2804	1712	3ef87f70a4874bf1c93c1b6ed54f9760N.exe	29
PID 1712 wrote to memory of 2804	1712	3ef87f70a4874bf1c93c1b6ed54f9760N.exe	29

C:\Users\Admin\AppData\Local\Temp\3ef87f70a4874bf1c93c1b6ed54f9760N.exe
"C:\Users\Admin\AppData\Local\Temp\3ef87f70a4874bf1c93c1b6ed54f9760N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
31KB

MD5
a92986c49a51ad93a7b8f45827a6116c

SHA1
05a17e18198b91c253bf298aec1bd3c56b08647e

SHA256
30b92b44129f542ac67159faf6fade1b71bc207786f175e2ddcc9a2e6c2d6c2f

SHA512
1698aa9de0d405d2942d59074ba8e41656d14d71ebf619285167dedabb396c7829b32095acc878590dc90d63d690af65bfe35ccbe3ca9448dac357703a043a64

Download Submit
memory/1712-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1712-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1712-2-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1712-4-0x0000000003330000-0x0000000003730000-memory.dmp

Filesize
4.0MB

Download
memory/1712-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1712-9-0x0000000003B80000-0x0000000003B8A000-memory.dmp

Filesize
40KB

Download
memory/2804-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2804-16-0x0000000003350000-0x0000000003750000-memory.dmp

Filesize
4.0MB

Download