e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe
Size

43KB
MD5

3326a87faeb8c2087f4988d390e5b230
SHA1

878a77cc2b96627ac2a4b4a31d6a80b35ba4454c
SHA256

e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578b
SHA512

28c353e6fd1b7656d7ea5c0b0a42bcf14952b390403884539b126d96d65b85c560b5e38bdf0b3365c1c3983d36123a782744d0b6fc61995070f634f6d2102583
SSDEEP

768:swg9aYfQkXdmCdMimsENm4QctL4yM2F4hUmQe:sR0QQwndcsE0vSMXzQe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2796	hhcbrnaff.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhcbrnaff.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2796	2192	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe	30
PID 2192 wrote to memory of 2796	2192	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe	30
PID 2192 wrote to memory of 2796	2192	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe	30
PID 2192 wrote to memory of 2796	2192	e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe	30

C:\Users\Admin\AppData\Local\Temp\e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe
"C:\Users\Admin\AppData\Local\Temp\e7fb2b7e714f4bc6245ae6ded64c74294e819a3569247a2e361d07ed310a578bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe
  "C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hhcbrnaff.exe

Filesize
43KB

MD5
0f43adaeafcca931791cb9ad5601d8fe

SHA1
0dfd74ad160bf7c60e186db6d7aa6eaeaa156c8c

SHA256
02aa6bf664df4d1d36d3e5a57fb76832e09fc21194154c31e8b5bd8794e2d6f6

SHA512
db879f5379c12b8e30b6f64f2da1ad3879df1a2db5d5ccc1b5ab29015cc24bddb70c4185848d057e49aa049378d1908ae54f38d6962183c1055f1d8e01d81a3f

Download Submit
memory/2192-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-1-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2192-4-0x0000000002C20000-0x0000000003020000-memory.dmp

Filesize
4.0MB

Download
memory/2192-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2796-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2796-12-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2796-14-0x0000000002BE0000-0x0000000002FE0000-memory.dmp

Filesize
4.0MB

Download
memory/2796-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download