hiddentear | fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd

Analysis

Target

software-launcher.exe
Size

207KB
MD5

900c456cbcd61ed2bf91378112e93eb0
SHA1

c227ca088a4f80729b83396cafa0152d9778254e
SHA256

fd945e2cc6d1b3a453135d5df04eeccbfd16f76e0744dd27b99e0eccaa9053bd
SHA512

e9e71efbe7e70ece0d5022c401d6cb8c808237946b6a30fcfe18d8d43ea93460c04977015daf05a7baa5a9f1467c5ffdcf499a52706c27a0055529a3f38f0ba7

Score

10^/10

HiddenTear Ransomware
Open-Source ransomware available on Github since 2015, with many versions in the wild.
ransomware hiddentear
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

software-launcher.exe

description ioc process

File renamed C:\Users\Admin\Pictures\SwitchReset.png => C:\Users\Admin\Pictures\SwitchReset.png.klavins software-launcher.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SwitchReset.png => C:\Users\Admin\Pictures\SwitchReset.png.klavins	software-launcher.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = bdfd26760182d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exesoftware-launcher.exe

description	pid	process
Token: SeShutdownPrivilege	744	svchost.exe
Token: SeCreatePagefilePrivilege	744	svchost.exe
Token: SeDebugPrivilege	3104	software-launcher.exe

memory/3104-0-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/3104-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3104-3-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/3104-4-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/3104-5-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download