8415240f6011036fa923c46865da807643b74e16cb15f9c6f48f69bd25d3fe2a

General

Target

Build.exe
Size

30.0MB
MD5

690e59f01fc278dbdd46a6bd2afe39ec
SHA1

b1b0efd3d42283c09b2b0f42b67e43e07c7b93b4
SHA256

8415240f6011036fa923c46865da807643b74e16cb15f9c6f48f69bd25d3fe2a
SHA512

fd7a8f63299a24ff0fa493f6053f7dd9a2beae3b04779f876d884e2f882faddf27e529580c38cb439573c9eee376fc20ad7fb8fa2b8c498dbb4500c0e91683ec
SSDEEP

786432:YvIFT5OUiF6YF2EiWeIGSg6A3kaa768gMSKr9dzPkw:YvET5ViF642LWeIGDMS8Tz7

Score

7^/10

discovery pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

hacn.exebased.exebased.exehacn.exe

pid process

1896 hacn.exe
1304 based.exe
3012 based.exe
1944 hacn.exe
1228
Loads dropped DLL 9 IoCs

Processes:

Build.exebased.exebased.exehacn.exehacn.exe

pid process

2084 Build.exe
2084 Build.exe
1304 based.exe
3012 based.exe
1896 hacn.exe
1944 hacn.exe
1228
1228
1228

pid	process
1896	hacn.exe
1304	based.exe
3012	based.exe
1944	hacn.exe
1228

pid	process
2084	Build.exe
2084	Build.exe
1304	based.exe
3012	based.exe
1896	hacn.exe
1944	hacn.exe
1228
1228
1228

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI13042\python310.dll	upx
behavioral1/memory/3012-48-0x000007FEF5ED0000-0x000007FEF6336000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\ProgramData\Microsoft\hacn.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Build.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Build.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Build.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Build.exebased.exehacn.exe

description	pid	process	target process
PID 2084 wrote to memory of 1896	2084	Build.exe	hacn.exe
PID 2084 wrote to memory of 1896	2084	Build.exe	hacn.exe
PID 2084 wrote to memory of 1896	2084	Build.exe	hacn.exe
PID 2084 wrote to memory of 1896	2084	Build.exe	hacn.exe
PID 2084 wrote to memory of 1304	2084	Build.exe	based.exe
PID 2084 wrote to memory of 1304	2084	Build.exe	based.exe
PID 2084 wrote to memory of 1304	2084	Build.exe	based.exe
PID 2084 wrote to memory of 1304	2084	Build.exe	based.exe
PID 1304 wrote to memory of 3012	1304	based.exe	based.exe
PID 1304 wrote to memory of 3012	1304	based.exe	based.exe
PID 1304 wrote to memory of 3012	1304	based.exe	based.exe
PID 1896 wrote to memory of 1944	1896	hacn.exe	hacn.exe
PID 1896 wrote to memory of 1944	1896	hacn.exe	hacn.exe
PID 1896 wrote to memory of 1944	1896	hacn.exe	hacn.exe

C:\Users\Admin\AppData\Local\Temp\Build.exe
"C:\Users\Admin\AppData\Local\Temp\Build.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\ProgramData\Microsoft\hacn.exe
  "C:\ProgramData\Microsoft\hacn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\ProgramData\Microsoft\hacn.exe
    "C:\ProgramData\Microsoft\hacn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1944
- C:\ProgramData\Microsoft\based.exe
  "C:\ProgramData\Microsoft\based.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\ProgramData\Microsoft\based.exe
    "C:\ProgramData\Microsoft\based.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13042\python310.dll

Filesize
1.4MB

MD5
4a6afa2200b1918c413d511c5a3c041c

SHA1
39ca3c2b669adac07d4a5eb1b3b79256cfe0c3b3

SHA256
bec187f608507b57cf0475971ba646b8ab42288af8fdcf78bce25f1d8c84b1da

SHA512
dbffb06ffff0542200344ea9863a44a6f1e1b783379e53df18580e697e8204d3911e091deb32a9c94b5599cdd54301b705b74e1f51104151cf13b89d57280a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
\ProgramData\Microsoft\based.exe

Filesize
5.9MB

MD5
e7f130139266f2e5afd5be83a92054aa

SHA1
52b70040c325cd634eb591a26bd98333f288d767

SHA256
44a28763def8da44d730eabceed547bc07ab6cb72b40990366f71dcb5c4ee6cc

SHA512
3cc648d69bb40c75c13cd244b8e258505787edcd65b046580fcefffb1715959f6c4956ed390eccd87a6ad3e8602d79a381099d167547b0f353c97d04e98c0d15

Download Submit
\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
memory/3012-48-0x000007FEF5ED0000-0x000007FEF6336000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads