2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46

General

Target

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
Size

576KB
MD5

4fbf3ef1ae2a1e7a4ac62217833fd135
SHA1

b1e95acd1d6c5ece5009aad16e200391f04e371b
SHA256

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
SHA512

becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1
SSDEEP

12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy

Score

9^/10

persistence

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp	MailPassView
behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

hgcgc.exesvchost.exesvchost.exe

pid process

3452 hgcgc.exe
1928 svchost.exe
4256 svchost.exe

pid	process
3452	hgcgc.exe
1928	svchost.exe
4256	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chcgcx = "C:\\Users\\Admin\\AppData\\Roaming\\downloads\\hgcgc.exe"	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hgcgc.exe

description pid process target process

PID 3452 set thread context of 4256 3452 hgcgc.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exe

pid process

1524 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
3452 hgcgc.exe

description	pid	process	target process
PID 3452 set thread context of 4256	3452	hgcgc.exe	svchost.exe

pid	process
1524	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
3452	hgcgc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exe

description	pid	process	target process
PID 1524 wrote to memory of 3452	1524	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe	hgcgc.exe
PID 1524 wrote to memory of 3452	1524	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe	hgcgc.exe
PID 1524 wrote to memory of 3452	1524	2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe	hgcgc.exe
PID 3452 wrote to memory of 1928	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 1928	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 1928	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe
PID 3452 wrote to memory of 4256	3452	hgcgc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
"C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe
"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"
3⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"
3⤵
- Executes dropped EXE
PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe
Filesize
576KB

MD5
bd69f5cbb1c7b9e0b9af4cd6f5c0b518

SHA1
25b677796521fbe484cb6b6a1c863033b1fae404

SHA256
71ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc

SHA512
53cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd

Download Submit
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe
Filesize
576KB

MD5
bd69f5cbb1c7b9e0b9af4cd6f5c0b518

SHA1
25b677796521fbe484cb6b6a1c863033b1fae404

SHA256
71ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc

SHA512
53cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd

Download Submit
memory/1524-134-0x0000000002290000-0x0000000002296000-memory.dmp

Filesize
24KB

Download
memory/3452-135-0x0000000000000000-mapping.dmp

Download
memory/4256-141-0x0000000000000000-mapping.dmp

Download
memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4256-145-0x0000000074300000-0x00000000748B1000-memory.dmp

Filesize
5.7MB

Download
memory/4256-146-0x0000000074300000-0x00000000748B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads