Analysis
-
max time kernel
63s -
max time network
34s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-10-2024 14:21
General
-
Target
hppb_installer.exe
-
Size
12.0MB
-
MD5
bfcfbcb223ca8d1ffbfd2f9c2bbe4ae4
-
SHA1
e374edabe7c052d4041418687c8f94d777ede11d
-
SHA256
4a77e7f6f432308d7480b7b08c059525d9127061917f095fe1d6d4d637d9835f
-
SHA512
a74393120db156843718c2c3c9b85d61b32c5903786b3f108508930066f68a4e0a60eecc66f3f0be9687dbab31fddf3dab136170c38f6a9e03ab2e34976bcd13
-
SSDEEP
196608:BfXH8ZbMHqhgzI620vY6s0JVxGpG5DUVhTRsof/N6v/WYRULQoAaudIkr2N6jssS:BfXURhGy0Q9GypGJUrFsonGRUL9ZudIx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4652 Product Bulletin.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
resource yara_rule behavioral1/memory/3476-0-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/memory/3476-8-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/memory/3476-9-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/memory/3476-28-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/files/0x001900000002ab0b-40.dat upx behavioral1/memory/3476-58-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/memory/4652-69-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/3476-84-0x0000000000400000-0x0000000001566000-memory.dmp upx behavioral1/memory/4652-83-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-87-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-97-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-98-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-99-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-100-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-101-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-102-0x0000000000400000-0x0000000000FAF000-memory.dmp upx behavioral1/memory/4652-103-0x0000000000400000-0x0000000000FAF000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\HPE Product Bulletin\Product Bulletin.exe hppb_installer.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\Fonts\MetricHPE-Desktop-Light.oft hppb_installer.exe File created C:\Windows\Fonts\MetricHPE-Desktop-Regular.oft hppb_installer.exe File created C:\Windows\Fonts\MetricHPE-Desktop-Semibold.oft hppb_installer.exe File created C:\Windows\Fonts\HPSimplified-Regular.ttf hppb_installer.exe File created C:\Windows\Fonts\HPSimplified-Bold.ttf hppb_installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hppb_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Product Bulletin.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3476 hppb_installer.exe 3476 hppb_installer.exe 4652 Product Bulletin.exe 4652 Product Bulletin.exe 4652 Product Bulletin.exe 4652 Product Bulletin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3476 wrote to memory of 4652 3476 hppb_installer.exe 80 PID 3476 wrote to memory of 4652 3476 hppb_installer.exe 80 PID 3476 wrote to memory of 4652 3476 hppb_installer.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\hppb_installer.exe"C:\Users\Admin\AppData\Local\Temp\hppb_installer.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Program Files (x86)\HPE Product Bulletin\Product Bulletin.exe"C:\Program Files (x86)\HPE Product Bulletin\Product Bulletin.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.4MB
MD55f74fda08818d4f87809cff1b5facbef
SHA14b33d9ff40b7bfc3233718e4a81efa389da14477
SHA25667b3324333fa0ef207e0446f3261c400595683c5afc00585a6f1ce8cdf947f4f
SHA512d1487ebe1cc405c67b067a09e7aee73c8f18571bdc6c125a20cc2a5bd5beb2155ef81886d981f2c57bff9e87b3f0c7c6e31153f685a64b4498dd0ef7ba2bc15d
-
Filesize
119KB
MD5be15857ee3e9439549b92e21f363376c
SHA11ee97fee6e073bd7e9d1967767de01590aacf3b1
SHA256c2d7ed76dd287f3a6f24308040e7b15726ee14872231beee72f97f813eb50822
SHA512ee7fbadd2946287e502526f10581222e732690c57859dd91a152a567ca90551644d1fd1ebae9e27d1366435feb07ceaf4c7440face86ffd9f37c81d539ef0c40
-
Filesize
605KB
MD551af5428a9a44b3c28e57e302e43f2e1
SHA1f8ad5805c2aa8028548739837ca846c0f8c565a7
SHA2568238ddf6fd9a3715ba525ade5673a8218dbb96eba9b365aef410a90f22fef0b4
SHA5125c1aedc1e9d604c441c312bf4e113e6c37c48b9d5d9c0ca7b5d7e153cdc7e869517297d6b513de5c2a78e0bd52b59eaefe7f6dbdcdee87f708f9befa9e1874bd
-
Filesize
1KB
MD540913b90b0c3a79f8ea2c2c9844c9ba9
SHA1b68736ea960c1f015b7b37eeb81edf2718b32497
SHA2568eb8080aad493b1a1249d41490c54dcab8b62351fbd9287a0360ba06d895c724
SHA51296dadf8e7eecac373ca1989d1c979d19a0d74732a34f8ab273d4b95a995868b04397e57c4eaa32cd65161c3693e3be918ed28229c91d56de573b4f568ee2a328
-
Filesize
15KB
MD5625e13ad7bb42bd7b0340568a2e5767a
SHA15103612219723b0cda26453986ae84c905862a5e
SHA256aee4d9bc2cafc9c95f4f10f4434e1e641c009c08304eea51eab9fb7ee7d43aaf
SHA512ae003b6e4acc20dc1a5609ee981939cbdea86b9d8a0f872098347e568b51495f47744ae033555ec87ae3cc95af787c5a247bb9fd049baa666b7ddaf9ea5717aa
-
Filesize
90KB
MD5c0082b58b14c02486b95fc70186d75ce
SHA197289d61683713206b48e8c90d9ebfc3a8167302
SHA256885dba14cd01eddc90c541d9943e62c172e4486d79b8d8056400fa0455c07cca
SHA512f58899c0e11c886d10a47886a28f77cd47ab386e51e8c51da75f46f96dabc7f25dca10bf586997eabfe09b4f4326f7ca4d52aebbf12d52c1c86bfe864daac4ac
-
Filesize
660KB
MD596895a8ed7983013485fefedb990e7ec
SHA136221e893508f42b948f03121a50f3b11270b4aa
SHA256b5a6311211b7e40c6fe9a98615fafd540d83ef718376db11cd9c309b688a409a
SHA51203e2e9830deec54d7c66885adbabe696e5055b89a13cf194ba28addd3b3ec00bd8682f07ac78f8e63a75bda25a0740cce6fcc87b1c2cd7cfaa22e262cc66c8f6
-
Filesize
173KB
MD518485656d3b8e004d4833ae8641f7c4b
SHA140dd7c70d69bb602958e2bab416519e84b34abc3
SHA2568ce015ed80393e7d63f1096ac4fe64fc6e62f990c773c0eaf2fb6b8d834fbfe3
SHA5123c92b28f8dafc398f8bf640e18f0e9eafacb15f9d7839298da4bd3117e4ed8bbe7aa828d740ea6a9621492db81f89edb7edbb33e5fa3cfcfa2cfa80d6719cdca