Overview
overview
8Static
static
HearthBudd...xe.xml
windows7-x64
1HearthBudd...xe.xml
windows10-2004-x64
1HearthBudd...34.dll
windows7-x64
1HearthBudd...34.dll
windows10-2004-x64
1HearthBudd..._HB.js
windows7-x64
1HearthBudd..._HB.js
windows10-2004-x64
1HearthBudd...ic.dll
windows7-x64
1HearthBudd...ic.dll
windows10-2004-x64
1HearthBudd...dy.exe
windows7-x64
8HearthBudd...dy.exe
windows10-2004-x64
8HearthBudd...SM.dll
windows7-x64
1HearthBudd...SM.dll
windows10-2004-x64
1HearthBudd...ve.dll
windows7-x64
1HearthBudd...ve.dll
windows10-2004-x64
1HearthBudd...er.exe
windows7-x64
8HearthBudd...er.exe
windows10-2004-x64
8HearthBudd...er.exe
windows7-x64
1HearthBudd...er.exe
windows10-2004-x64
8Analysis
-
max time kernel
112s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
HearthBuddy/CDPatcher.exe.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
HearthBuddy/CDPatcher.exe.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HearthBuddy/CompiledAssemblies/Silverfish_635523813765361934.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
HearthBuddy/CompiledAssemblies/Silverfish_635523813765361934.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
HearthBuddy/CustomDecks/Silverfish/silverfish_HB.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
HearthBuddy/CustomDecks/Silverfish/silverfish_HB.js
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
HearthBuddy/GreyMagic.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral8
Sample
HearthBuddy/GreyMagic.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
HearthBuddy/Hearthbuddy.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral10
Sample
HearthBuddy/Hearthbuddy.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
HearthBuddy/RemoteASM.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral12
Sample
HearthBuddy/RemoteASM.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
HearthBuddy/RemoteASMNative.dll
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral14
Sample
HearthBuddy/RemoteASMNative.dll
Resource
win10v2004-20221111-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
HearthBuddy/СDРаtcher.exe
Resource
win7-20221111-en
windows7-x64
Behavioral task
behavioral16
Sample
HearthBuddy/СDРаtcher.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
HearthBuddy/СDРаtcher.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral18
Sample
HearthBuddy/СDРаtcher.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
HearthBuddy/CDPatcher.exe.xml
-
Size
1KB
-
MD5
05134a536c63991181b23e79fa8a9d60
-
SHA1
054778c1e662761fe7c1b1753e465680d34a54a7
-
SHA256
a34985fb2acb4f3cc0d2b6394109015f94e9e1f53cc2a13ad9c5ab81c78b6665
-
SHA512
04b3f88a09627c441b26da5c5b76e35a4f2fd865add8d6a6bc2321fb88c324d198377f8ca1f8840a27e7f52e9cab9ee59686045f561a8513ebdf1c55984fa7eb
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e2d9d6b8a2cc408df4fbbaa0eafa3b00000000020000000000106600000001000020000000a56118cd27cdbad28666c91a755d5a19653e706e1bf683a496acb788ae7da6a3000000000e8000000002000020000000c35e3ad526438b590f74da10255149bd6c348d290db452c6a714a82c7b56a43820000000520144c29e21bc6db67837eedda9559a6f0da8362df370e1528a68a90733939e400000006e66fe201859b9ec6573273f9d57e83e58eec6f23be49b6b16b4f75a41ac1d94fdd7e4c941b4fe21b280ce3eadf482b90a8d4f9888402d2009c9746be5d78fab IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0662575a401d901 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E902EE1-6D97-11ED-A34F-EA25B6F29539} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e2d9d6b8a2cc408df4fbbaa0eafa3b00000000020000000000106600000001000020000000a0994bd01ef8b2804f125248d2f0d632f6a0032f8bc1f5eab442b70c9b1dce8d000000000e8000000002000020000000713d152fa30b0edca73d8f580acb39b9a1982d72303cedd9fe204b5e6014768390000000f11f16dbb8f7e768489541a634f16375d2a35795f4be2876b2f16780e698dadd862d91422d268f78a4428054e6b1f19d5f5e9c3ecf7bd6a6715a3754dc1e01507763c298ad289d3cf98d5def2a087492adeb96bd214d249476e090310166b460395754c5af6c76e03151f57019a7b3b6720c91109dba1aaa03a3e3d782457b9292fa3b9cdc87c22e0f41eecb569911a3400000004cf2c650e15e513efa5e5e0ea80810a4fff1826b334c2e2765f66206f0ef805794f42a46dac5498c528d78dbd9fa6221a8848ca5d604201d561fa02002aafaab IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376238338" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 604 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 604 IEXPLORE.EXE 604 IEXPLORE.EXE 1632 IEXPLORE.EXE 1632 IEXPLORE.EXE 1632 IEXPLORE.EXE 1632 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1492 1980 MSOXMLED.EXE 29 PID 1980 wrote to memory of 1492 1980 MSOXMLED.EXE 29 PID 1980 wrote to memory of 1492 1980 MSOXMLED.EXE 29 PID 1980 wrote to memory of 1492 1980 MSOXMLED.EXE 29 PID 1492 wrote to memory of 604 1492 iexplore.exe 30 PID 1492 wrote to memory of 604 1492 iexplore.exe 30 PID 1492 wrote to memory of 604 1492 iexplore.exe 30 PID 1492 wrote to memory of 604 1492 iexplore.exe 30 PID 604 wrote to memory of 1632 604 IEXPLORE.EXE 31 PID 604 wrote to memory of 1632 604 IEXPLORE.EXE 31 PID 604 wrote to memory of 1632 604 IEXPLORE.EXE 31 PID 604 wrote to memory of 1632 604 IEXPLORE.EXE 31
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\HearthBuddy\CDPatcher.exe.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1632
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608B
MD540846ace78e9e71e3789c0ce0479e829
SHA1e73c62c10208e39d94f4ccf6f2badb9a93490ffd
SHA2560d1805748499af65052ce301924f53e8484c1bd3fdf5f7ab0d746d8c13c86f44
SHA512077a9788a14c17c50dea75216fcb65065b21131cb94263572bd01fc0326e44102f712090edd91138803ee760366a74c292a0390b7a2e8e38dfd3be2a7abf8014