f2b8af0563461f373ad5ed075b26791b775c442ed8dd9e39b6a006473554a928

General

Target

2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe
Size

207KB
MD5

9e3dd480c9105c1ebda18e651e9b7764
SHA1

fb6a429849b0e38a9e9bebed0c8356e02501be2b
SHA256

f2b8af0563461f373ad5ed075b26791b775c442ed8dd9e39b6a006473554a928
SHA512

7419b8f54f60d3000cea81204de7899b5468d77c5d38bf2d593c8f08eff514509aed27c65f4c9c55452469e287475a880de51aefa23daaac120ed36c0397a504
SSDEEP

3072:HUpM+lmsolAIrRuw+mqv9j1MWLQvMTmmsolNIrRuw+mqv9j1MWLQA:HV+lDAAJTmDAN

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2524	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2524	2036	2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe	86
PID 2036 wrote to memory of 2524	2036	2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe	86
PID 2036 wrote to memory of 2524	2036	2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-27_9e3dd480c9105c1ebda18e651e9b7764_hiddentear.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\key.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
332KB

MD5
85b782dfa14a32b6c324610e1734da4d

SHA1
df5943932cf49192c6f14cfb54c9f7c2fff16bfb

SHA256
9a204c7679b9655ff14288a0766e26119dc87dff955f9a4766995977771d0125

SHA512
7daabe78aba07792cfab219a4e17ffb5f6d667751caee8cdfc8b15ded9394d9ba2f0d2c828b63fcc258997fabc19385827a68d387825be2d1a45bbe27ef47b86

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c260930d-5654-4a01-a146-931128d29e97}\0.1.filtertrie.intermediate.txt

Filesize
16B

MD5
5f2f6cd85d4dce993e680391113e00e4

SHA1
7658db6e5d991346f4e0b45155e02334de0429f4

SHA256
947137989b7caf892840883ff104e295339d5183e78eacad6b5755a852014025

SHA512
bd382b07595aa1e18aedd845024f0c6e99de6a64763848d1a75c6b98434097c902ea70a52b2665d355776d75d534d0e789a8cda9ec64c4eb57aa88b0c7cd9d6c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c260930d-5654-4a01-a146-931128d29e97}\0.2.filtertrie.intermediate.txt

Filesize
16B

MD5
b35718a150445e73b2d94fec8e604027

SHA1
95cc0a7beac251cce77557a1725eeb785911424d

SHA256
3d476ee5109ee9c6641128ee96d16679c11824f4dc54ca2b194260a6cf809a9c

SHA512
13cbd4ccc6b66c0676c1fd63f486a74451452faf31b6e9f9d9bab4f9cecfc14a4662d97decfc1acee94e7af9f645d4039c026e76e5b7c140101f3afaa5002140

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836700564513.txt

Filesize
77KB

MD5
c49c3292d7250088ecb86c7b4dbc6b29

SHA1
c5d503de58fb6a6891f1f89e7d2bfcfcf91101a5

SHA256
5069df4a42f05979985e0aec564859647e4284b38e179f041d60612af449cd1f

SHA512
462310fc2ea8f4c4b9c55a9767024511b5eb90b4fd43d627c6dc624596148b8d4931ef70d91ef155fa8b8f09f91f17f5ca1087748b32aaf3042d46964656d6db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837309464105.txt

Filesize
47KB

MD5
9be87d1c61d026b12d36ecd2fed4101a

SHA1
4f8af4039d5572872d363c63ad41c90bf1b29e35

SHA256
2b638b4b80a22c7ac4c0eb9dfdb72aadadc92f369484df6b2d68f965a31aa832

SHA512
be3d1cb63f2ff4fb449caf38ef9353fb506fe3b7e7c8d9975bf663f881e1a89c835d32eb49d9b6f4985e7b1020e93e4beb82ecfb859174f462db9659df728b72

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843745669167.txt

Filesize
63KB

MD5
517650a23b35b78664e19aec06b98f7b

SHA1
0c752a0a07081d6b0009d467ad6cb640d3ce92f0

SHA256
5dcb24b3aa78f4dd34735c660f7d832a8c90b60b8af809c866d550d1ae0783fa

SHA512
51dac832362bb1f87ecdb2fa79367239de495ecafe4c617018dfd38c557a944fd10d882eed1c065f3b557ba73380290b71e79953cf85d895f5bb3d1e9ebb7890

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846913689448.txt

Filesize
75KB

MD5
33edec7a990f6365f49556241cae6680

SHA1
6f0207644eb03fbdf789f0afa66ca77e92e23add

SHA256
b74c11f3c5c9ff475d218f2cab7a7508470893a96e4648f0562c493f5a845e0a

SHA512
cf512b941fc2b514de253107c256fee3e389661222006ba367ece9aca160737001e8187b7d3728bdd4a57fb866a3e10f4d62424aeb9c3530fbeb10b594c639ba

Download Submit
C:\Users\Admin\Desktop\key.txt

Filesize
48B

MD5
216e6850e68bc3325de1b6d3c3b16aa9

SHA1
414fa6bbafd3a7dae15e5f1de2501799c03f01b0

SHA256
5043ff20f5a74f5d7aa3be697ec3e6d36422f41c88ec3325e9e1b6300376695d

SHA512
7015f22595e03a492a60fe6bf61277f5cebb2bf4fb78052eba6f0dea3e166ef92a0de9db4988a7e38cc4541eccf38eca7562c4b212f833dca452ba41933277d0

Download Submit
memory/2036-0-0x0000000000DB0000-0x0000000000DEA000-memory.dmp

Filesize
232KB

Download
memory/2036-5-0x0000000005890000-0x000000000589A000-memory.dmp

Filesize
40KB

Download
memory/2036-4-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2036-3-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/2036-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/2036-1-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2036-443-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing