Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
a389f5ee8285c796777a25099d3cc3a0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a389f5ee8285c796777a25099d3cc3a0N.exe
Resource
win10v2004-20240802-en
General
-
Target
a389f5ee8285c796777a25099d3cc3a0N.exe
-
Size
47KB
-
MD5
a389f5ee8285c796777a25099d3cc3a0
-
SHA1
c6ce52bc53753a8bfab6fee9fee724d05f8d5ff6
-
SHA256
47a1e2086a632d071fcf2fa109fbc228747c21dd99097413a2ba42d02e5c20c6
-
SHA512
15bbeba0e1dbdcdee66ed5cd3c75ac6438f6c2d05a6512f510f389ba551a5b70850e3be2fc8815c22b85e694be101960b6479b37a84d86f8ea62f7965e610a79
-
SSDEEP
192:GrITdb2X2VFmfjNIGmMTPUEN7jIZSnDJLVwqnkqU/CDola0e9JzDaU0FiBs:yIT4BjKGmMztNvIZSD/wHqUWolEDCUKt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation a389f5ee8285c796777a25099d3cc3a0N.exe -
Executes dropped EXE 1 IoCs
pid Process 3968 hcbnaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a389f5ee8285c796777a25099d3cc3a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hcbnaf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4316 wrote to memory of 3968 4316 a389f5ee8285c796777a25099d3cc3a0N.exe 85 PID 4316 wrote to memory of 3968 4316 a389f5ee8285c796777a25099d3cc3a0N.exe 85 PID 4316 wrote to memory of 3968 4316 a389f5ee8285c796777a25099d3cc3a0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a389f5ee8285c796777a25099d3cc3a0N.exe"C:\Users\Admin\AppData\Local\Temp\a389f5ee8285c796777a25099d3cc3a0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD579d24deeacc4d8f65d1e66a650e9c399
SHA11d57427643958329ad28f65de6dda7657a425de1
SHA256ab6f1e46ab1673f9264da3a65f3a8854c4cc82fba89e36bb561715afeed9a8c9
SHA512685cf1f578e0db30c645b201ad8438da0a4c5abf4b6d51236f4d809a3c7eaa1eeec315163b3019d89abb3874c4acc1994df752e15ca805b15e287fa038d35227