Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 23:01
Behavioral task
behavioral1
Sample
HFlashPlayer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HFlashPlayer.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
flashplayer.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
flashplayer.exe
Resource
win10v2004-20230221-en
General
-
Target
HFlashPlayer.exe
-
Size
33KB
-
MD5
6c52eb6343505125e91b788d603c7a39
-
SHA1
7112987259eb367d016e911a2d0afc94c31a0fcf
-
SHA256
05d59d0257868942f418f826695cfb3907ea0bc27df9885657526c376b8ec03f
-
SHA512
227b1ace54100864cb0bdcf58fe7e9edcf45c1d45048729383ec3e887f729c80422da289ea05a8eaaa048e2c542088012609aaed53dd5d345a4f11432a5e0cb8
-
SSDEEP
768:TPprSjI6nXqIpQ9ka3JK6nXqIpQ9kalJy:TxX0XqIi3E0XqIilM
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
Processes:
HFlashPlayer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\shell\open HFlashPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\shell\open\command HFlashPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hflash HFlashPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\URL Protocol HFlashPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\ = "URL:hflash Protocol" HFlashPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HFlashPlayer.exe,1" HFlashPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\shell HFlashPlayer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\DefaultIcon HFlashPlayer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\hflash\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HFlashPlayer.exe %1" HFlashPlayer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
HFlashPlayer.exedescription pid process target process PID 1992 wrote to memory of 572 1992 HFlashPlayer.exe HFlashPlayer.exe PID 1992 wrote to memory of 572 1992 HFlashPlayer.exe HFlashPlayer.exe PID 1992 wrote to memory of 572 1992 HFlashPlayer.exe HFlashPlayer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HFlashPlayer.exe"C:\Users\Admin\AppData\Local\Temp\HFlashPlayer.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HFlashPlayer.exe"C:\Users\Admin\AppData\Local\Temp\HFlashPlayer.exe" --register2⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-56-0x000000001AD90000-0x000000001AE10000-memory.dmpFilesize
512KB
-
memory/572-57-0x000000001AD96000-0x000000001ADCD000-memory.dmpFilesize
220KB
-
memory/1992-54-0x0000000000EA0000-0x0000000000EAE000-memory.dmpFilesize
56KB
-
memory/1992-55-0x000000001B200000-0x000000001B280000-memory.dmpFilesize
512KB