b82c3648e6de6c97e6f2c6414a6522a37de772d235a556ab1397ae85533512ba

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hime_1.07.exe
Size

10.3MB
MD5

e83f0d86d333a71ca13acf8691eeba69
SHA1

9240a914e8871f8c91705605fe4f68799f393f09
SHA256

b82c3648e6de6c97e6f2c6414a6522a37de772d235a556ab1397ae85533512ba
SHA512

bac8daea2d998ac71e2f6a4ea77f78267b90bd6fdcacf843559996898082d9c327fdce8224a9e61996cb2477a28a8e9a12d9ef1464628a1d5d83b72af8135cf8
SSDEEP

196608:qMO3UEy7hmFkSMYMv2/gkBX143lIUlOLuQMPGnuzSDB4jD4:qt3UEy7wFY2/gkB8gBMP1zSSX4

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hime_1.07.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Hime_1.07.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Hime_1.07.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3112	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3112	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	Hime_1.07.exe
2840	Hime_1.07.exe

C:\Users\Admin\AppData\Local\Temp\Hime_1.07.exe
"C:\Users\Admin\AppData\Local\Temp\Hime_1.07.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx

Filesize
420B

MD5
71638ffe66a0ac02476e354ec5cdd94f

SHA1
d0c607e7806ed9968191b5cb32796e4f643a42cb

SHA256
976fe2a66dac73a986e42e87a67d9d26cb0057dd3e81f4eea4db44e691a4cf2c

SHA512
da47cfecfe8b4142321986e1ca28a2183656b0dd21bea6b9d2ddf7dda853698c04b0d43d061e7a12a3002bc087777c131026a574ebd5a394a3fa8e196143c43f

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\openssl\cache\RevocationCacheFile.dat

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit