8cda95856c68df768091b94d2920d2ab291b24faa423636f4b9de254e720c851

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HRSword_5.0.68.0.exe
Size

3.6MB
MD5

f81117bc68b76625e5b3dd96be34266c
SHA1

464ccae51a4462c1fd6a8dd16dd2a3755f22d868
SHA256

a70048647315e86bdb9de0d88f10b35c21ab2b5e0be033f35811f8002b9d4440
SHA512

560b1b6face735f4c640b8f3c18e8b9d90b719fdad8e552c1681fdb3d7084b28f4fe065974c6cd72771a2db0d1bf10b95781cb81997b96013b90ff704c5e726a
SSDEEP

98304:/5BF8W5BybQAoxFJKiQOeAeeU2RUXqC7w7sFca0rHXJjZ:/NFnA6QldMWqX7kYjZ

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HRSword_5.0.68.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2680	3032	HRSword_5.0.68.0.exe	30
PID 3032 wrote to memory of 2680	3032	HRSword_5.0.68.0.exe	30
PID 3032 wrote to memory of 2680	3032	HRSword_5.0.68.0.exe	30
PID 3032 wrote to memory of 2680	3032	HRSword_5.0.68.0.exe	30

C:\Users\Admin\AppData\Local\Temp\HRSword_5.0.68.0.exe
"C:\Users\Admin\AppData\Local\Temp\HRSword_5.0.68.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HRSword_kafan\run.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HRSword_kafan\run.vbs

Filesize
65B

MD5
99f77b14ae3f508f04d2bdb6ebf5c5d2

SHA1
dd5c9d5c40f86da246e3328052295a32bdd191b0

SHA256
ccab788b0cdb3c2364286f345c9e91190b746554cbabe0b393d2ea345d727ecf

SHA512
532a89ab0bec5b3489057ea5822c2527122b7474e0fd84e0e0b199b1b6e027e7ac2bbe45a7f7f18742f6ebcbc11c2d76a364831c68c8a3a2f6982f8c0c0f5839

Download Submit