Analysis
-
max time kernel
15s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-09-2024 19:37
Static task
static1
Behavioral task
behavioral1
Sample
4918da40aac339a410da76ebabb87cc0N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4918da40aac339a410da76ebabb87cc0N.exe
Resource
win10v2004-20240802-en
General
-
Target
4918da40aac339a410da76ebabb87cc0N.exe
-
Size
44KB
-
MD5
4918da40aac339a410da76ebabb87cc0
-
SHA1
d11a2897d7db9304ffbcfafe7ad8da0bbd9293a1
-
SHA256
a05e5f27c77a04b66b6bd8a6e8028c4972ddac94eb4e954228c0b0e7fb5f0cbf
-
SHA512
427de382c45654a25e545ef5ea7c5f6e98bc2b1ab474968e7b3554644248146c52830396d2a4d2cfe810797abad6597c2ee7434dac58d70723883c3e25dde6c9
-
SSDEEP
384:IL1d8xSrN1g7xKudNdtADaM4E7FBoU+BH9eW:Igx+WxKuMDaMpZiU6eW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2684 hcbnaf.exe -
Loads dropped DLL 1 IoCs
pid Process 320 4918da40aac339a410da76ebabb87cc0N.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4918da40aac339a410da76ebabb87cc0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hcbnaf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 320 wrote to memory of 2684 320 4918da40aac339a410da76ebabb87cc0N.exe 31 PID 320 wrote to memory of 2684 320 4918da40aac339a410da76ebabb87cc0N.exe 31 PID 320 wrote to memory of 2684 320 4918da40aac339a410da76ebabb87cc0N.exe 31 PID 320 wrote to memory of 2684 320 4918da40aac339a410da76ebabb87cc0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4918da40aac339a410da76ebabb87cc0N.exe"C:\Users\Admin\AppData\Local\Temp\4918da40aac339a410da76ebabb87cc0N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"C:\Users\Admin\AppData\Local\Temp\hcbnaf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5d1e44dd5bf10a86d3c084c40b7f61055
SHA10c6c5af3a0d65a47d7f3eb8669667382a2f9a337
SHA2561b9368889f328f26a042e8418676a94879a6549b4d951a916397e32c110e4156
SHA5126798e302026a9bcc39006436244d157a26eaaec2f52ee2befe94083aa19888d2a11dfe3b07f410c854d8a26fb846c8628d0b8d7776af6d37fe8daf37ff2d70ee