8e52ba7440f011237baf21e72d9f1959745191ebbf0cd71a4f0132ab8348a7ed

Analysis

max time kernel
153s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HearthBuddy/СDРаtcher.exe
Size

248KB
MD5

9fc784dc68fdba14bb4a3d0119a570c2
SHA1

e7af27020339711043b3d2eed9b1cfd9a4071e30
SHA256

0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf
SHA512

469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a
SSDEEP

6144:orS+Eo+YBOU0zoJ836T9sJ8BaF9m+9tK74HkldENff4uL4ELR9xk90:z+D+8OUwj3qsjbm+9t24HkldENff4uLf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
556	tmp4BA1.tmp

Loads dropped DLL 1 IoCs

pid	Process
1244	СDРаtcher.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1244	СDРаtcher.exe
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp
556	tmp4BA1.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1244	СDРаtcher.exe
Token: SeDebugPrivilege	556	tmp4BA1.tmp

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 556	1244	СDРаtcher.exe	28
PID 1244 wrote to memory of 556	1244	СDРаtcher.exe	28
PID 1244 wrote to memory of 556	1244	СDРаtcher.exe	28
PID 1244 wrote to memory of 556	1244	СDРаtcher.exe	28

C:\Users\Admin\AppData\Local\Temp\HearthBuddy\СDРаtcher.exe
"C:\Users\Admin\AppData\Local\Temp\HearthBuddy\СDРаtcher.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp
  "C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp" "C:\Users\Admin\AppData\Local\Temp\HearthBuddy\Settings.xml"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp

Filesize
248KB

MD5
9fc784dc68fdba14bb4a3d0119a570c2

SHA1
e7af27020339711043b3d2eed9b1cfd9a4071e30

SHA256
0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

SHA512
469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp

Filesize
248KB

MD5
9fc784dc68fdba14bb4a3d0119a570c2

SHA1
e7af27020339711043b3d2eed9b1cfd9a4071e30

SHA256
0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

SHA512
469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp4BA1.tmp

Filesize
248KB

MD5
9fc784dc68fdba14bb4a3d0119a570c2

SHA1
e7af27020339711043b3d2eed9b1cfd9a4071e30

SHA256
0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

SHA512
469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

Download Submit
memory/556-61-0x0000000000FF0000-0x0000000001034000-memory.dmp

Filesize
272KB

Download
memory/556-63-0x0000000000FB5000-0x0000000000FC6000-memory.dmp

Filesize
68KB

Download
memory/556-64-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/556-65-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/556-66-0x0000000000FB5000-0x0000000000FC6000-memory.dmp

Filesize
68KB

Download
memory/556-67-0x0000000000290000-0x000000000029A000-memory.dmp

Filesize
40KB

Download
memory/1244-54-0x0000000001350000-0x0000000001394000-memory.dmp

Filesize
272KB

Download
memory/1244-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1244-55-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download