6b9b0c2be545dc060c19760fb7437a2661c50797797faa167a4b00a9236d4f29

Analysis

max time kernel
119s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HBCD/WinTools/DialAFix.bat
Size

95B
MD5

a9c98bbda5bbd20f48fc57795784caeb
SHA1

8b27ccb07a220c9703775c3bbe31ff56fdb7d4e8
SHA256

86b2ead4191abaabdc5543de1fc355677caa0e0605b4f98ab87554ac046cf555
SHA512

3cb0b17f87e1c486c6dad121b78a316e3a70570fb365cb4d28d89f1419043353d2620e1ef2d8dea650eebb94969ca7cd98850a1263143ab6783d90e9a4c3b8cd

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Dialafix.exe

pid process

4608 Dialafix.exe
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral26/memory/4948-0-0x0000000000400000-0x000000000047D000-memory.dmp upx
behavioral26/memory/4948-7-0x0000000000400000-0x000000000047D000-memory.dmp upx
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Dialafix.exe

pid process

4608 Dialafix.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4608	Dialafix.exe

resource	yara_rule
behavioral26/memory/4948-0-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral26/memory/4948-7-0x0000000000400000-0x000000000047D000-memory.dmp	upx

pid	process
4608	Dialafix.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 4948	1912	cmd.exe	uharc.exe
PID 1912 wrote to memory of 4948	1912	cmd.exe	uharc.exe
PID 1912 wrote to memory of 4948	1912	cmd.exe	uharc.exe
PID 1912 wrote to memory of 4608	1912	cmd.exe	Dialafix.exe
PID 1912 wrote to memory of 4608	1912	cmd.exe	Dialafix.exe
PID 1912 wrote to memory of 4608	1912	cmd.exe	Dialafix.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\HBCD\WinTools\DialAFix.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\HBCD\uharc.exe
..\uharc.exe x -t"C:\Users\Admin\AppData\Local\Temp" -y+ files\dialafix.uha
2⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\Dialafix.exe
"C:\Users\Admin\AppData\Local\Temp\Dialafix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dialafix.exe
Filesize
939KB

MD5
95929060bfc3464a3c9b9cd609bed14c

SHA1
025e89fb2c2425b8be0792668b76f978a56ac9ee

SHA256
889f374f42f531140f5a3f7b48a268c77d5cc84bb9565bfb759bd27cb14d5881

SHA512
77361d5bcc3e51a91fcb11e8be2252e56a752d4384e2dd3bbe56e5cf1eff2c554e2225d37cb957d51802daeefa749c98c636f2b6b706f6cf0b1a643becd01d49

Download Submit
memory/4608-10-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/4608-11-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4948-0-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4948-7-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download