863556ff60232cc0ba03d64e840b802ea35bd8afd0031fce289965445e072917

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 12:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ddfbe52e121a54390cd2a4966b3c991b.exe
Size

454KB
MD5

ddfbe52e121a54390cd2a4966b3c991b
SHA1

e89bb7fdb552627ee6b2cd570351a05e90233f08
SHA256

863556ff60232cc0ba03d64e840b802ea35bd8afd0031fce289965445e072917
SHA512

c24548ef34d1dc27d3115220fb63640e44d17fb982f2c0f324e98f76fef0a878d9cd653f935e9f8cdf080f399bfddd431a92da1110126a9a506b3d062fd73478
SSDEEP

12288:Rp//VS1fyNomS6olwkJeBMMMnMMMMM/HwE6C7rRWkiUk:7/McNvh+MMnMMMMM/HL6C

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ddfbe52e121a54390cd2a4966b3c991b.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	HhFEKGHKxwvKC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HhFEKGHKxwvKC = "C:\\ProgramData\\HhFEKGHKxwvKC.exe"	ddfbe52e121a54390cd2a4966b3c991b.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ddfbe52e121a54390cd2a4966b3c991b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	ddfbe52e121a54390cd2a4966b3c991b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	HhFEKGHKxwvKC.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	HhFEKGHKxwvKC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\Download	ddfbe52e121a54390cd2a4966b3c991b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ddfbe52e121a54390cd2a4966b3c991b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1796	ddfbe52e121a54390cd2a4966b3c991b.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe
1996	HhFEKGHKxwvKC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1796	ddfbe52e121a54390cd2a4966b3c991b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1996	1796	ddfbe52e121a54390cd2a4966b3c991b.exe	88
PID 1796 wrote to memory of 1996	1796	ddfbe52e121a54390cd2a4966b3c991b.exe	88
PID 1796 wrote to memory of 1996	1796	ddfbe52e121a54390cd2a4966b3c991b.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ddfbe52e121a54390cd2a4966b3c991b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	ddfbe52e121a54390cd2a4966b3c991b.exe

C:\Users\Admin\AppData\Local\Temp\ddfbe52e121a54390cd2a4966b3c991b.exe
"C:\Users\Admin\AppData\Local\Temp\ddfbe52e121a54390cd2a4966b3c991b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1796
- C:\ProgramData\HhFEKGHKxwvKC.exe
  "C:\ProgramData\HhFEKGHKxwvKC.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HhFEKGHKxwvKC.exe

Filesize
264KB

MD5
0ac84f782a5ebd194663f2a49523c074

SHA1
d0385f6637631709571fca22c1e18e17929048da

SHA256
6bbcf312dc5ed80261937b8ce3147a108088af13cbb671de09c483a34a6d3b59

SHA512
a8ee8628e3cb0778e7b0787a232e36839f63604163ae79c17c45f7121811c644751bd75e2f829a54c598ace829852b5a3e5d02cab61c39334b595a5d82282d3e

Download Submit
C:\ProgramData\HhFEKGHKxwvKC.exe

Filesize
270KB

MD5
733fb94f91b9da25e0e97decd794dd01

SHA1
2c883fa5284f292f71f158a2fed20824a0e2860e

SHA256
390fe36f1a6b919e2e01e585390789bc6151578d3d438c098c6deae2af15ec50

SHA512
a0865c521b56124922ef55f94ec4ad963e8a9826c3ea0f4c2b852f5419057268d927c10ad352e8b3603e788e8d5ccacee244edc556af5c0745fc9a8637bb92a2

Download Submit
C:\ProgramData\HhFEKGHKxwvKC.exe

Filesize
454KB

MD5
ddfbe52e121a54390cd2a4966b3c991b

SHA1
e89bb7fdb552627ee6b2cd570351a05e90233f08

SHA256
863556ff60232cc0ba03d64e840b802ea35bd8afd0031fce289965445e072917

SHA512
c24548ef34d1dc27d3115220fb63640e44d17fb982f2c0f324e98f76fef0a878d9cd653f935e9f8cdf080f399bfddd431a92da1110126a9a506b3d062fd73478

Download Submit
memory/1796-1-0x0000000003010000-0x0000000004110000-memory.dmp

Filesize
17.0MB

Download
memory/1796-9-0x0000000000740000-0x0000000000976000-memory.dmp

Filesize
2.2MB

Download
memory/1996-13-0x0000000003280000-0x0000000004780000-memory.dmp

Filesize
21.0MB

Download
memory/1996-14-0x0000000000F00000-0x0000000001136000-memory.dmp

Filesize
2.2MB

Download