5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 21:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Size

482KB
MD5

1221f62256f5e34326a38b4c626dcf84
SHA1

74099e6f8ee16bbe00d36844862eb2adaa35849b
SHA256

5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410
SHA512

999c452beae910511e4fb74ca386629714ac5853cc8304ca7441b427dd485fb6102019e2bfb839e57b156bfa600f48b79998251217c5299df01d0b0fe3e0e1f9
SSDEEP

12288:xSbftHxkXbCNDZJsb1+Eu02FWBjB3LjyySgfEa85zcEdPhUTzyid5hpgbfMT:xSLtH2XbCNDZJsbJaWtNjiO

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Verb\0\ = "&Edit,0,2"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Insertable	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\AuxUserType\2\ = "Shank Document"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\CLSID\ = "{0DDA7B80-A080-101E-AC9F-B60A0C08752A}"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5891F8~1.EXE,1"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\DefaultIcon	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\MiscStatus\ = "32"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\ = "TororoKonbu sHanko"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\Insertable	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Verb\0	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Verb	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Verb\1	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Insertable\	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5891F8~1.EXE"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing\verb\0	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\CLSID	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\ProgID\ = "Shank.Document"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\LocalServer32	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\AuxUserType\2	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\AuxUserType\3	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\ProgID	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\InprocHandler32\ = "ole32.dll"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\Insertable\	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing\verb	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\ = "TororoKonbu sHanko"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5891F8~1.EXE"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\InprocHandler32	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\AuxUserType\3\ = "e-Seal sHanko"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\MiscStatus	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\Verb\1\ = "&Open,0,2"	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0DDA7B80-A080-101E-AC9F-B60A0C08752A}\AuxUserType	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Shank.Document\protocol\StdFileEditing\server	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2848	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
2848	5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe

C:\Users\Admin\AppData\Local\Temp\5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe
"C:\Users\Admin\AppData\Local\Temp\5891f867f0514cc64647c655c0cb257f93d67de53fc93b1bd80222a88526c410.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\hanko.ini

Filesize
22B

MD5
31e8d64c73afa8beb176cc72b53598b4

SHA1
913159eadf835dfe6a8596eee321069b7535b313

SHA256
8f66c4614edbab68f0edcc95f39bc7027f1f57c6bb215e29b4fe37b3eb81e31d

SHA512
a852adc0d2dc05e571fe870a2ae9cf515b0c431c3c142f88a2ee74edc0f56da31ef9178baee6f5e72c7b69e48cd3927463ba2058b1daafc76d7351665b888c91

Download Submit