981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67d

General

Target

981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
Size

208KB
MD5

6f4712ccbc6884c4b0de02329adcdb40
SHA1

71249c7b6e95b9efac00baa31370e61af96de438
SHA256

981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67d
SHA512

8b0742457ebc8b93a6b97cc3021decd225bcac886a2c3fd8ebcc80e225ae84a27f8ff70b92629b53db8177bd4e24fa4677373ddfef49ebd054c88e1a5bb8fd14
SSDEEP

6144:PwYPIuButXpthx5IDD12piyZFFepqyZlPQEj+:tPIuB8tL5I/1ciyZFFUqyZlPQB

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	HMENRBF.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\HMENRBF.exe	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
File opened for modification	C:\windows\HMENRBF.exe	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
File created	C:\windows\HMENRBF.exe.bat	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HMENRBF.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
2736	HMENRBF.exe
2736	HMENRBF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
2736	HMENRBF.exe
2736	HMENRBF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2400	2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe	30
PID 2680 wrote to memory of 2400	2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe	30
PID 2680 wrote to memory of 2400	2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe	30
PID 2680 wrote to memory of 2400	2680	981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe	30
PID 2400 wrote to memory of 2736	2400	cmd.exe	32
PID 2400 wrote to memory of 2736	2400	cmd.exe	32
PID 2400 wrote to memory of 2736	2400	cmd.exe	32
PID 2400 wrote to memory of 2736	2400	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe
"C:\Users\Admin\AppData\Local\Temp\981a1fa42273bc4448bcc255dda58c694457b497f7ecb8d40a38ca6302bfc67dN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\HMENRBF.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\windows\HMENRBF.exe
    C:\windows\HMENRBF.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HMENRBF.exe.bat

Filesize
60B

MD5
c4b09ff4ffa3c697f558bb6614e00f88

SHA1
f99c68e3e78c2a27654f8fe9b581012aff79027e

SHA256
25a694527c3971be56b97bbccab90dcc8bdb4ff29247c08647ff145f1d958769

SHA512
84e7038f9a70f97837568a85b31c1689de842d1a3e2bb6891e9af51a87754e0f9e4cdead28929a012ccb0ae6bb01bf525626d6f06fef99ad6a078dbfa2935462

Download Submit
C:\windows\HMENRBF.exe

Filesize
208KB

MD5
9ff0a1a10afc9cfde15b0efc01c4edbe

SHA1
67e248615f96e8cde0aa711a2c929b6e2cf6dbd4

SHA256
9c79224b6c7c8cdd06dbc643f9cea13bd716883ee7b5ad5ee3a11998ae5f1d8d

SHA512
2b37f3fff8155df9ce07228b9f1d6286be8e4ec9d6b69bb1dae81c0268509d4beecf9082ad30f5b43e61bb7b60ed4a536ec175654cf11e833bba4043e5f740e1

Download Submit
memory/2400-15-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2400-16-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2680-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2736-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing