26c5013c45b75f401bdf8c8389bb66b9f17bdc1cd0851a8b1803ec7a85dbd96a

Analysis

max time kernel
2s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 22:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

hacn.exe
Size

14.9MB
MD5

2f20a53d05d89d72a94192a6b8098b77
SHA1

5558fea4d61191ae61f1996a2800b7a17a3f34e0
SHA256

26c5013c45b75f401bdf8c8389bb66b9f17bdc1cd0851a8b1803ec7a85dbd96a
SHA512

147e0243ff304aa5316a0e1389f55c969193bf8513e893bf8fe7c1f3d9ff37afbb0cbbeeb966a98fc728e6b81b14bf4e440e5989e485fe461bb8bf7dc93b814e
SSDEEP

393216:HDfDoc6vWh2uCaoj0wAyvBF21TI6nx0I:Hb7uWhni0wx36

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
232	s.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	hacn.exe
1388	hacn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1388	636	hacn.exe	85
PID 636 wrote to memory of 1388	636	hacn.exe	85
PID 1388 wrote to memory of 3184	1388	hacn.exe	86
PID 1388 wrote to memory of 3184	1388	hacn.exe	86
PID 3184 wrote to memory of 232	3184	cmd.exe	90
PID 3184 wrote to memory of 232	3184	cmd.exe	90
PID 3184 wrote to memory of 232	3184	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\hacn.exe
"C:\Users\Admin\AppData\Local\Temp\hacn.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\hacn.exe
  "C:\Users\Admin\AppData\Local\Temp\hacn.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI6362\s.exe -pbeznogym
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Users\Admin\AppData\Local\Temp\_MEI6362\s.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI6362\s.exe -pbeznogym
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:232
    - - C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        5⤵
        
        PID:4484
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe"
        6⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat" "
        7⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor/ChainComServermonitor.exe"
        8⤵
        
        PID:2376
    - - C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        5⤵
        
        PID:2892
    - - C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        5⤵
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\main.exe

Filesize
3.8MB

MD5
b19494bbacd440c14aa305712b9e2f02

SHA1
8943fa7af98c30b18c08ad455a90e897c7251674

SHA256
b4168be39fe6e89451a7d85caa5b03fc494ad320f2f250f7187c125eba2954fa

SHA512
5aea256645f76b0abbe5230e85588b89b1608b671837abe2fb8cc57d5eefc50e2f42291b763a698fab924bf3bc7f3cc4d8c43d1b1507097a8d27a658251c875f

Download Submit
C:\ProgramData\main.exe

Filesize
3.0MB

MD5
36d58381fe1d88a10a5408fbfa2c64c8

SHA1
08d4c9d2dff148dba499d3dd4bf9a2d1eaaa9d47

SHA256
b9ef5694e29ce2f23a86b8c68b7cde34ef54b0db22ed5f214f0763a8a9801082

SHA512
05c9dac480da31cad9868b54308834338147c086d2111968594f24396527563a7defabf26228679498de50c423850743eb9979dc5237e9fdc8ff72e716bb0ebb

Download Submit
C:\ProgramData\main.exe

Filesize
3.1MB

MD5
14160027bf28c43c154e316b5935ca80

SHA1
6db15975945ea9063c4498a3d958aec34b8a12b3

SHA256
a88ff4cf18ee34767c359a7d7b53b5f6e19c83a3ab235f36c54a860dc872cd47

SHA512
b74f559e230046a5028319d544c6ecad97ef7e071966e8e62d98a6e7274606e3166c724a15ca3c46d78f89d222e0b0f9bb84ef04a5ec7be524f37df67a1cf9e1

Download Submit
C:\ProgramData\setup.exe

Filesize
3.1MB

MD5
cec70c52366d004602db29019e7d0db7

SHA1
2f7445cd60b20c744faa35cdc526f563962c1a70

SHA256
219b12f495b94cd0f0bf5873b3c7f007191b590a6568bb5e845392e195ffa6da

SHA512
7f6fea62d4c1df0e38736edf94615ef17ee4e896c50cbb002128b13cf7d02a5bbc1d87f9b82f1c21ec27ed03d68a0bafc972b933d3161d1568383d03f7f386b6

Download Submit
C:\ProgramData\setup.exe

Filesize
3.1MB

MD5
3b21159ce2238d32654517275b9f3f35

SHA1
bdfa50e1ea7ddd7891604344fbbb5a8b8b877577

SHA256
13f095e0fddfd320dc43e3dfe1ac31a58a54722d8e229abae4f021695e070507

SHA512
209f6ab3c1e771c2020a9558776a7341b3cb5c8cf6e00c0fd02238df5d3f0aee10568c156f1d0cbf6db2cc081d3fb0d5f2c252b907e1eced7b65ffb6e9b8328f

Download Submit
C:\ProgramData\setup.exe

Filesize
2.4MB

MD5
7ae0e085b7d190e6a813eddf40cc52f5

SHA1
7fba329012904f81c3f0bba19b49d3075349846b

SHA256
8ee058a51f7da7d67b12c35788c078f8d1f0142e44de01b09473f04e88d49df4

SHA512
68b77bca6b290b6e4a34b965c16da20982542d0865bd6050a9027bfc3e5eaf11529158f6f26975ce07c222e55902d76b5603ef412c73ac8821208041d7c570a7

Download Submit
C:\ProgramData\svchost.exe

Filesize
3.9MB

MD5
45c59202dce8ed255b4dbd8ba74c630f

SHA1
60872781ed51d9bc22a36943da5f7be42c304130

SHA256
d07c47f759245d34a5b94786637c3d2424c7e3f3dea3d738d95bf4721dbf3b16

SHA512
fff5b16ae38681ed56782c0f0423560dab45065685d7272424206f43c80486318180aa22d66bd197c8c530e4c24dbaaaa020beb76b619dc767ee59faa27e23ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\base_library.zip

Filesize
859KB

MD5
c4989bceb9e7e83078812c9532baeea7

SHA1
aafb66ebdb5edc327d7cb6632eb80742be1ad2eb

SHA256
a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd

SHA512
fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\s.exe

Filesize
9.8MB

MD5
f651062559f616ac562c15b565cbc13f

SHA1
c68023a67c88c0a1cdd7c2244a39c4b6928ca338

SHA256
9fcfbae706772f70be1daf4ae23ab366d9a479b8bacaa9ac1339d95a203119f2

SHA512
a73e37a3bac664c1f957921e6a3c5323b018950f7d45add5591c221db131ee79541cab2aa80e03b2202bcaf9fddd9f85c5a2eff172ecc64f78f665f59a3aafc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6362\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Filesize
2.6MB

MD5
ad69b5e6af3b440e0561708b11a90a73

SHA1
cf90e24dae01f2525e672a606f8634968411696b

SHA256
23888c6c9ea6c18eab1c330cb0424687a1bf7445f7408000416a3b5f4e8b8fa9

SHA512
db84e41d4b262097debd2eab3b093ea6845d4d5fd5e1174312467ed08df8605998627494174d9b9d3ba3ea1f1707776951ed7fe1d091f31915456b355308613d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\ChainComServermonitor.exe

Filesize
1.9MB

MD5
b7cba044464b12cbbad595c9f27efe55

SHA1
4fb2c72bce0b63373215d36451099e2ddc701955

SHA256
db0abfec3326a33622bf125163574e48bf0dee9915b7e187d614e7153e5abb65

SHA512
fce41a9da36c672fda5393f4318753d730a145ea24aa9435d89be77e21a8b3042d53e7181ebd5d5f106986f1c0a23838fc27532e3c73f31a94eb1b282c022696

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\oGgyulsi03j6EO3sjCC.bat

Filesize
103B

MD5
77218ae27e9ad896918d9a081c61b1be

SHA1
3c8ebaa8fa858b82e513ccf482e11172b0f52ce0

SHA256
e09540a47f3647a9fdf9673281e2664441bbaee8d3236d22b1875b9d23abacab

SHA512
6a16b367a762132172830fd81c41c58ac49de788eed93d4c5526f8f0e6859703b336a137fd8d4fe7088b4110d72e5f4767b6462bc4651769924b67305719f30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msAgentSavesmonitor\pFG3Duil1NAbFHoInFFIi7JfPHXMZXRvb98S0ewJA0VkW.vbe

Filesize
217B

MD5
d6da6166258e23c9170ee2a4ff73c725

SHA1
c3c9d6925553e266fe6f20387feee665ce3e4ba9

SHA256
78ee67a8ae359f697979f4cd3c7228d3235c32d3b611303e070b71414591ba1e

SHA512
37a5a18acbb56e5458baebb12a4d3b3229b218eb606be3535d1c30e8e0d4fa969543889c587078456321209fe4503688432f45ff35a7af598b770393e7ae3b05

Download Submit
memory/2376-90-0x0000000001610000-0x0000000001620000-memory.dmp

Filesize
64KB

Download
memory/2376-92-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2376-76-0x00000000008F0000-0x0000000000C82000-memory.dmp

Filesize
3.6MB

Download
memory/2376-111-0x000000001BC00000-0x000000001BC10000-memory.dmp

Filesize
64KB

Download
memory/2376-79-0x0000000002EF0000-0x0000000002F16000-memory.dmp

Filesize
152KB

Download
memory/2376-83-0x0000000001620000-0x000000000163C000-memory.dmp

Filesize
112KB

Download
memory/2376-84-0x0000000002F70000-0x0000000002FC0000-memory.dmp

Filesize
320KB

Download
memory/2376-86-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/2376-81-0x00000000015B0000-0x00000000015BE000-memory.dmp

Filesize
56KB

Download
memory/2376-94-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/2376-105-0x000000001C180000-0x000000001C6A8000-memory.dmp

Filesize
5.2MB

Download
memory/2376-109-0x000000001BBF0000-0x000000001BC00000-memory.dmp

Filesize
64KB

Download
memory/2376-88-0x0000000002F40000-0x0000000002F58000-memory.dmp

Filesize
96KB

Download
memory/2376-96-0x0000000002F60000-0x0000000002F6E000-memory.dmp

Filesize
56KB

Download
memory/2376-98-0x000000001B9C0000-0x000000001B9D2000-memory.dmp

Filesize
72KB

Download
memory/2376-100-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/2376-102-0x000000001BC10000-0x000000001BC26000-memory.dmp

Filesize
88KB

Download
memory/2376-104-0x000000001BC30000-0x000000001BC42000-memory.dmp

Filesize
72KB

Download
memory/2376-107-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/2892-70-0x000001323EA40000-0x000001323EAB6000-memory.dmp

Filesize
472KB

Download
memory/2892-61-0x0000013224030000-0x00000132245D0000-memory.dmp

Filesize
5.6MB

Download
memory/2892-77-0x00000132261A0000-0x00000132261BE000-memory.dmp

Filesize
120KB

Download