55bd984f097c4c1f6091ce30625b89970f74827ea9275ac9ba5d9dd42c0c38f2

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HxDPortableSetup.exe
Size

3.3MB
MD5

565554ea03b1ef7812e66f13262de601
SHA1

77558ff5d65d181b9de3ba353538283f51de396c
SHA256

7eed3fbb271a7db6d061106a0e20a5a193388f800812266cdbb7526e469820a8
SHA512

b2b052102b1f712bbf7959cba7268c4f033492a6027779d7c6711f024a2c9bbe3d573a3695e92da407b12072e79ea6750d78695bb29bf632ea7cd87e9a9bf2f8
SSDEEP

98304:SYgmygQ4mUSSlmD5u6hY1T/zgzdpV9u1O:fgmw4iS+r205pVMo

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2728	HxDPortableSetup.tmp
3676	HxD64.exe
4024	HxD64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	HxDPortableSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	HxDPortableSetup.tmp
2728	HxDPortableSetup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2728	HxDPortableSetup.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3676	HxD64.exe
3676	HxD64.exe
3676	HxD64.exe
3676	HxD64.exe
3676	HxD64.exe
3676	HxD64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2728	1656	HxDPortableSetup.exe	85
PID 1656 wrote to memory of 2728	1656	HxDPortableSetup.exe	85
PID 1656 wrote to memory of 2728	1656	HxDPortableSetup.exe	85
PID 2728 wrote to memory of 3676	2728	HxDPortableSetup.tmp	99
PID 2728 wrote to memory of 3676	2728	HxDPortableSetup.tmp	99
PID 3676 wrote to memory of 4024	3676	HxD64.exe	100
PID 3676 wrote to memory of 4024	3676	HxD64.exe	100

C:\Users\Admin\AppData\Local\Temp\HxDPortableSetup.exe
"C:\Users\Admin\AppData\Local\Temp\HxDPortableSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\is-F62ER.tmp\HxDPortableSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F62ER.tmp\HxDPortableSetup.tmp" /SL5="$401CA,2973524,121344,C:\Users\Admin\AppData\Local\Temp\HxDPortableSetup.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\Desktop\HxD\HxD64.exe
    "C:\Users\Admin\Desktop\HxD\HxD64.exe" /chooselang:enu /createdefaultconfig:normal
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3676
  - - C:\Users\Admin\Desktop\HxD\HxD64.exe
      C:\Users\Admin\Desktop\HxD\HxD64.exe /chooselang
      4⤵
      Executes dropped EXE
      PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F62ER.tmp\HxDPortableSetup.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
C:\Users\Admin\Desktop\HxD\HxD64.exe

Filesize
6.6MB

MD5
14fca45f383b3de689d38f45c283f71f

SHA1
5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

SHA256
9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

SHA512
0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

Download Submit
C:\Users\Admin\Desktop\HxD\Settings\HxD Hex Editor.lang

Filesize
3B

MD5
392b810f865591aa5ec210e849ae769f

SHA1
f3fd0c8f2a347e168ef392e38c52f4134987a3a6

SHA256
78b33626b46709ebe04edd99ea813ed291183bebb025ea5e4783ca2260811943

SHA512
5d650d9045243ce2495a845683b3252419bc283fe9ecec85b56de0a179a5df77d8ddf8ccb41ff555043bf1e9a3c9a0a3e1efec17cc2d291b5236589a80df0f04

Download Submit
memory/1656-2-0x00007FF8421D0000-0x00007FF8423C5000-memory.dmp

Filesize
2.0MB

Download
memory/1656-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1656-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1656-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2728-6-0x00007FF8421D0000-0x00007FF8423C5000-memory.dmp

Filesize
2.0MB

Download
memory/2728-30-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2728-32-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2728-33-0x00007FF8421D0000-0x00007FF8423C5000-memory.dmp

Filesize
2.0MB

Download
memory/2728-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3676-28-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download
memory/4024-25-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download