144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c

General

Target

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe
Size

1.2MB
MD5

5fcab883f8312424523dc63fb0e3154c
SHA1

bfbed5a8b496b44eae2045234fa39c2b21458618
SHA256

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c
SHA512

0c5764a4b9841bdca6d9c85706612bc9cf0c935de7499c33b570f4613d53ea09d0d2dbe19cf17f1828b6602b130985265658c9a32d3054e89d4a4bb0778816cc
SSDEEP

24576:g/jTZeL2E6S4mWMvW7d1385F0+nHG1gw3:UgL16hnyrHw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

hdhdgdg.exehdhdgdg.exe

pid process

624 hdhdgdg.exe
1792 hdhdgdg.exe

pid	process
624	hdhdgdg.exe
1792	hdhdgdg.exe

Loads dropped DLL 2 IoCs

Processes:

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe

pid	process
1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe
1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hsgsgsg = "C:\\Users\\Admin\\AppData\\Roaming\\subfolder\\hdhdgdg.exe"	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hdhdgdg.exe

description pid process target process

PID 624 set thread context of 1792 624 hdhdgdg.exe hdhdgdg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 624 set thread context of 1792	624	hdhdgdg.exe	hdhdgdg.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e565965204d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000589183dd6e21354199df05f8e38d744b000000000200000000001066000000010000200000006add0e808771be096c94d17b86c4a7cc34350589813e0d93c931b8808bf7cf66000000000e8000000002000020000000e74cde52ab3dff888adb48872c6611874968e0ae6c6490f3bb4220acc362a322900000000f9964a8b015b6e3fec04bd150ffe624ee320a287767996bb938fbd7a7cb12747248f3686ae67c58e6aec2135b7beeb21067f659e0078d9ac92973672c9a11e5c29b9b2b570ebee6681ce8e8bbec865ff0162a5c19589d6ca4a27e838c078d85c8975039fb8393d94d58a68170819b39d2f6a23112f692e0a05a41cc4f0f9adec85326d70687cfa3614376352522af0640000000a5f04e4cec58aff3d3a49585f9dec87cce50bf774c33a68061fb292512211950eb827c7fdd2ab4ab2a4b58ccf833496a9e1d35b49cc89842f034316d9dbbe1f6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000589183dd6e21354199df05f8e38d744b000000000200000000001066000000010000200000002382cefa67a1c2df1d0955d048493fa04a29b5a5de207b53b9ab2d802ddfbfb9000000000e80000000020000200000003056a01aeb37df022bd455e25ed501fe3a8d98a53ce55abd11cc19fb662971c320000000fe1d78034e6214b2c565c3e3016d8bf59b72381f86c27555a522323d2ba5bc1e40000000b17bb5c4cbe741bbf68c18b8136b204c4477fbed895e9c458ea6051837fcff9fc0b773695ce0e73fa12286a0e70dea77c3f278712b3b496d77b8f29cb3f61d7c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376533006"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA17B6A1-7045-11ED-A503-626C2AE6DC56} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1336 iexplore.exe

pid	process
1336	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exehdhdgdg.exeiexplore.exeIEXPLORE.EXE

pid	process
1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe
624	hdhdgdg.exe
1336	iexplore.exe
1336	iexplore.exe
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE
668	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exehdhdgdg.exehdhdgdg.exeiexplore.exe

description	pid	process	target process
PID 1516 wrote to memory of 624	1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe	hdhdgdg.exe
PID 1516 wrote to memory of 624	1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe	hdhdgdg.exe
PID 1516 wrote to memory of 624	1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe	hdhdgdg.exe
PID 1516 wrote to memory of 624	1516	144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 624 wrote to memory of 1792	624	hdhdgdg.exe	hdhdgdg.exe
PID 1792 wrote to memory of 1336	1792	hdhdgdg.exe	iexplore.exe
PID 1792 wrote to memory of 1336	1792	hdhdgdg.exe	iexplore.exe
PID 1792 wrote to memory of 1336	1792	hdhdgdg.exe	iexplore.exe
PID 1792 wrote to memory of 1336	1792	hdhdgdg.exe	iexplore.exe
PID 1336 wrote to memory of 668	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 668	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 668	1336	iexplore.exe	IEXPLORE.EXE
PID 1336 wrote to memory of 668	1336	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe
"C:\Users\Admin\AppData\Local\Temp\144fed083fecd1a36b5892ac3ccae575f4895a886b12cfa4395600e71149247c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
"C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
"C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=hdhdgdg.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MS9YQZ09.txt
Filesize
606B

MD5
971e47df5e7842831cd326bbffa21a77

SHA1
6d4037d3ee43ba801fb87245d1ded2f2f4eb1135

SHA256
48ad333efd7c0dd11fa44090874e4ed9df1edb3b66e6c346ffa91085eb4690f3

SHA512
29b746eeaca4e5a8d5822a3c55bc1fb7a2c12d9d2416700860f18dd2a98c89421c8b0128a41b1bc975292d2b0bb74a98503bd88f1deeedaa307850324dc27f24

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
Filesize
1.2MB

MD5
c9bf0a21961571ce3d96a0b83b64d45b

SHA1
230aaeaa722e8a01bf2eea065ac8db1f12de1438

SHA256
97dc9a3780891c0a32f867b494bb93d6a35314608d4e87335e0faa4049497525

SHA512
69f0979e32ea16881a4ead22724b9d7bf8ed84a1b565149ad46acbcbaa8f96945f95715443efa8585ce11eb2bf02aad98719e04690cda825b59b06becdd5b531

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
Filesize
1.2MB

MD5
c9bf0a21961571ce3d96a0b83b64d45b

SHA1
230aaeaa722e8a01bf2eea065ac8db1f12de1438

SHA256
97dc9a3780891c0a32f867b494bb93d6a35314608d4e87335e0faa4049497525

SHA512
69f0979e32ea16881a4ead22724b9d7bf8ed84a1b565149ad46acbcbaa8f96945f95715443efa8585ce11eb2bf02aad98719e04690cda825b59b06becdd5b531

Download Submit
C:\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
Filesize
1.2MB

MD5
c9bf0a21961571ce3d96a0b83b64d45b

SHA1
230aaeaa722e8a01bf2eea065ac8db1f12de1438

SHA256
97dc9a3780891c0a32f867b494bb93d6a35314608d4e87335e0faa4049497525

SHA512
69f0979e32ea16881a4ead22724b9d7bf8ed84a1b565149ad46acbcbaa8f96945f95715443efa8585ce11eb2bf02aad98719e04690cda825b59b06becdd5b531

Download Submit
\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
Filesize
1.2MB

MD5
c9bf0a21961571ce3d96a0b83b64d45b

SHA1
230aaeaa722e8a01bf2eea065ac8db1f12de1438

SHA256
97dc9a3780891c0a32f867b494bb93d6a35314608d4e87335e0faa4049497525

SHA512
69f0979e32ea16881a4ead22724b9d7bf8ed84a1b565149ad46acbcbaa8f96945f95715443efa8585ce11eb2bf02aad98719e04690cda825b59b06becdd5b531

Download Submit
\Users\Admin\AppData\Roaming\subfolder\hdhdgdg.exe
Filesize
1.2MB

MD5
c9bf0a21961571ce3d96a0b83b64d45b

SHA1
230aaeaa722e8a01bf2eea065ac8db1f12de1438

SHA256
97dc9a3780891c0a32f867b494bb93d6a35314608d4e87335e0faa4049497525

SHA512
69f0979e32ea16881a4ead22724b9d7bf8ed84a1b565149ad46acbcbaa8f96945f95715443efa8585ce11eb2bf02aad98719e04690cda825b59b06becdd5b531

Download Submit
memory/624-60-0x0000000000000000-mapping.dmp

Download
memory/1516-56-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1516-57-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download
memory/1792-67-0x000000000051BB1E-mapping.dmp

Download
memory/1792-66-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1792-70-0x0000000000402000-0x000000000051BC00-memory.dmp

Filesize
1.1MB

Download
memory/1792-71-0x0000000000402000-0x000000000051BC00-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads