Overview

overview

8

Static

static

HearthBudd...xe.xml

windows7-x64

1

HearthBudd...xe.xml

windows10-2004-x64

1

HearthBudd...34.dll

windows7-x64

1

HearthBudd...34.dll

windows10-2004-x64

1

HearthBudd..._HB.js

windows7-x64

1

HearthBudd..._HB.js

windows10-2004-x64

1

HearthBudd...ic.dll

windows7-x64

1

HearthBudd...ic.dll

windows10-2004-x64

1

HearthBudd...dy.exe

windows7-x64

8

HearthBudd...dy.exe

windows10-2004-x64

8

HearthBudd...SM.dll

windows7-x64

1

HearthBudd...SM.dll

windows10-2004-x64

1

HearthBudd...ve.dll

windows7-x64

1

HearthBudd...ve.dll

windows10-2004-x64

1

HearthBudd...er.exe

windows7-x64

8

HearthBudd...er.exe

windows10-2004-x64

8

HearthBudd...er.exe

windows7-x64

1

HearthBudd...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    90s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 01:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    HearthBuddy/СDРаtcher.exe

  • Size

    248KB

  • MD5

    9fc784dc68fdba14bb4a3d0119a570c2

  • SHA1

    e7af27020339711043b3d2eed9b1cfd9a4071e30

  • SHA256

    0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

  • SHA512

    469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

  • SSDEEP

    6144:orS+Eo+YBOU0zoJ836T9sJ8BaF9m+9tK74HkldENff4uL4ELR9xk90:z+D+8OUwj3qsjbm+9t24HkldENff4uLf

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HearthBuddy\СDРаtcher.exe
    "C:\Users\Admin\AppData\Local\Temp\HearthBuddy\СDРаtcher.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Users\Admin\AppData\Local\Temp\tmpE95B.tmp
      "C:\Users\Admin\AppData\Local\Temp\tmpE95B.tmp" "C:\Users\Admin\AppData\Local\Temp\HearthBuddy\Settings.xml"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4572

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpE95B.tmp
          Filesize

          248KB

          MD5

          9fc784dc68fdba14bb4a3d0119a570c2

          SHA1

          e7af27020339711043b3d2eed9b1cfd9a4071e30

          SHA256

          0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

          SHA512

          469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpE95B.tmp
          Filesize

          248KB

          MD5

          9fc784dc68fdba14bb4a3d0119a570c2

          SHA1

          e7af27020339711043b3d2eed9b1cfd9a4071e30

          SHA256

          0b56d9cc1fc6cac40c16471797015d6f338371e90e86056b7e5eaad801409daf

          SHA512

          469c0261f0c8d9e3cd2ec7cc9b2685d7ef91dcd8af182da9a3de408d4d8879617473bcc7a1b73767e5caa94419c4f62419685892d41fa0bb8e59d196eb0eaf5a

          Download Submit

        • memory/4572-136-0x0000000006740000-0x0000000006CE4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4572-137-0x0000000005BC0000-0x0000000005C52000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4572-138-0x00000000055C0000-0x00000000055C8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4572-139-0x0000000006520000-0x0000000006528000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4572-140-0x00000000070B0000-0x00000000070E8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4572-141-0x0000000007090000-0x000000000709E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4960-132-0x0000000000F80000-0x0000000000FC4000-memory.dmp

          Filesize

          272KB

          Download