Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 12:42

General

  • Target

    f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe

  • Size

    84KB

  • MD5

    dc7b3c0f11fe1f5738b649f9d36782c6

  • SHA1

    e2eee284f4e3ac477eadde6b53ccc725b7aacaaa

  • SHA256

    8a77240a1437b5c433fd3e79358be8411ffb5422b297641f0a52c0feeb19ef40

  • SHA512

    baff6e6adba0e591c91d0bfee1abf78fe69985cd8fa68d9ebff7f8d5a1b1b92f1b32aa6f6677488fd5254137dab89c21ecb67c584fdf3a9f8b67c6358459eb3b

  • SSDEEP

    768:sv6nMfqPS4BMSrc8ebdtF5EmpW/p/hxRSH9NxIkL9v/Q6sWTMR2iRw:svgBoZKmpSFhxRSHdL9bsi42iRw

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe
    "C:\Users\Admin\AppData\Local\Temp\f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\huepee.exe
      "C:\Users\Admin\huepee.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1472
      2⤵
      • Program crash
      PID:244
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2684 -ip 2684
    1⤵
      PID:3408

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\huepee.exe

            Filesize

            84KB

            MD5

            87e5e67c44a6853a3efeec8371c46b12

            SHA1

            8b322150827da6c00cc2688c283f0eb66ae7a2e6

            SHA256

            80f4b0b924d8cd3e9966fafb331893a69caf747eadf1c482edea1446c2632fe2

            SHA512

            76bbab3f00ddb9f9ffab8980bc77f98338de6703ea9afbee352f6023ca3ba3cd52c39ef119119353b7e30c8b7ff6edebfe04cb42d83565eee090c4ee644c2c04

          • memory/2488-33-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/2488-38-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/2684-0-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

          • memory/2684-37-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB