Analysis
-
max time kernel
192s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:17
Static task
static1
Behavioral task
behavioral1
Sample
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
Resource
win10v2004-20221111-en
General
-
Target
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe
-
Size
576KB
-
MD5
4fbf3ef1ae2a1e7a4ac62217833fd135
-
SHA1
b1e95acd1d6c5ece5009aad16e200391f04e371b
-
SHA256
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46
-
SHA512
becba007222b52fdb566697ad1ed39ba7bd0f1c6e755dada5a9b2acbe1dd87ef604d43cf07e5d5d1ffa223924a41c87f4c69eb56ed5bfa1e5c993bdd52a361a1
-
SSDEEP
12288:ekNCadTPVIIZKT4sqqdwGePz+4gXG5Y9Jb/tBLMNn/9IUTUwSBDuC:DpF2hT4jz+4oUY9JRBLCVfIHBy
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp MailPassView behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp WebBrowserPassView behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4256-141-0x0000000000000000-mapping.dmp Nirsoft behavioral2/memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmp Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
hgcgc.exesvchost.exesvchost.exepid process 3452 hgcgc.exe 1928 svchost.exe 4256 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chcgcx = "C:\\Users\\Admin\\AppData\\Roaming\\downloads\\hgcgc.exe" 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hgcgc.exedescription pid process target process PID 3452 set thread context of 4256 3452 hgcgc.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exepid process 1524 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe 3452 hgcgc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exehgcgc.exedescription pid process target process PID 1524 wrote to memory of 3452 1524 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 1524 wrote to memory of 3452 1524 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 1524 wrote to memory of 3452 1524 2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe hgcgc.exe PID 3452 wrote to memory of 1928 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 1928 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 1928 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe PID 3452 wrote to memory of 4256 3452 hgcgc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"C:\Users\Admin\AppData\Local\Temp\2daabbbfe95fdbffeac7755ef312bdb8b7c168860e347f6684c9080c691b9d46.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"3⤵
- Executes dropped EXE
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exe"3⤵
- Executes dropped EXE
PID:4256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD53a77a4f220612fa55118fb8d7ddae83c
SHA1b96fa726fc84fd46d03dd3c32689f645e0422278
SHA2562cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA51233a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD53a77a4f220612fa55118fb8d7ddae83c
SHA1b96fa726fc84fd46d03dd3c32689f645e0422278
SHA2562cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA51233a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
32KB
MD53a77a4f220612fa55118fb8d7ddae83c
SHA1b96fa726fc84fd46d03dd3c32689f645e0422278
SHA2562cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA51233a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d
-
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exeFilesize
576KB
MD5bd69f5cbb1c7b9e0b9af4cd6f5c0b518
SHA125b677796521fbe484cb6b6a1c863033b1fae404
SHA25671ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc
SHA51253cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd
-
C:\Users\Admin\AppData\Roaming\downloads\hgcgc.exeFilesize
576KB
MD5bd69f5cbb1c7b9e0b9af4cd6f5c0b518
SHA125b677796521fbe484cb6b6a1c863033b1fae404
SHA25671ee42d16270dc1c30348cdad7bc557f0831bd84aaa6d4f3cc28df065e6b79dc
SHA51253cdc6e748b5b1cc7d84678f46808837794d166e818bf5906e1ab2788b9cba3d6ea31879d5e4c34482368b1bef3c02132ba278a55c60bc7585cd7d5ec759fffd
-
memory/1524-134-0x0000000002290000-0x0000000002296000-memory.dmpFilesize
24KB
-
memory/3452-135-0x0000000000000000-mapping.dmp
-
memory/4256-141-0x0000000000000000-mapping.dmp
-
memory/4256-142-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4256-145-0x0000000074300000-0x00000000748B1000-memory.dmpFilesize
5.7MB
-
memory/4256-146-0x0000000074300000-0x00000000748B1000-memory.dmpFilesize
5.7MB