dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378

General

Target

HxDSetup.exe
Size

3.3MB
MD5

4f9e75a41d02666cd5cc86bd33a578fe
SHA1

ac08b28e953d7d200bbb3c2e644890a689d0d8b1
SHA256

dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378
SHA512

0848bfd0494604e4b9173211cfdd27234e15d3728377a237472f404bced36535d486f824428f19c8a8fa35becadff604e5291352b80c9e06d357667b473381ca
SSDEEP

98304:oYgmygQ4mUSSlmD5u6hY1T/zgzeJ0pV9u1O:Bgmw4iS+r20u0pVMo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3376	HxDSetup.tmp
2156	HxD.exe
3028	HxD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\HxD\is-GP6PH.tmp	HxDSetup.tmp
File created	C:\Program Files\HxD\is-TE2JQ.tmp	HxDSetup.tmp
File created	C:\Program Files\HxD\is-SISGI.tmp	HxDSetup.tmp
File opened for modification	C:\Program Files\HxD\unins000.dat	HxDSetup.tmp
File opened for modification	C:\Program Files\HxD\HxD.exe	HxDSetup.tmp
File created	C:\Program Files\HxD\unins000.dat	HxDSetup.tmp
File created	C:\Program Files\HxD\is-UUNNE.tmp	HxDSetup.tmp
File created	C:\Program Files\HxD\is-3R95T.tmp	HxDSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	HxDSetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3376	HxDSetup.tmp
3376	HxDSetup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3376	HxDSetup.tmp

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	HxD.exe
2156	HxD.exe
2156	HxD.exe
2156	HxD.exe
2156	HxD.exe
2156	HxD.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3376	456	HxDSetup.exe	77
PID 456 wrote to memory of 3376	456	HxDSetup.exe	77
PID 456 wrote to memory of 3376	456	HxDSetup.exe	77
PID 3376 wrote to memory of 3676	3376	HxDSetup.tmp	79
PID 3376 wrote to memory of 3676	3376	HxDSetup.tmp	79
PID 3376 wrote to memory of 3676	3376	HxDSetup.tmp	79
PID 3376 wrote to memory of 2156	3376	HxDSetup.tmp	80
PID 3376 wrote to memory of 2156	3376	HxDSetup.tmp	80
PID 2156 wrote to memory of 3028	2156	HxD.exe	81
PID 2156 wrote to memory of 3028	2156	HxD.exe	81

C:\Users\Admin\AppData\Local\Temp\HxDSetup.exe
"C:\Users\Admin\AppData\Local\Temp\HxDSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\is-B1HBA.tmp\HxDSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B1HBA.tmp\HxDSetup.tmp" /SL5="$60216,2973524,121344,C:\Users\Admin\AppData\Local\Temp\HxDSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\HxD\readme.txt
    3⤵
    PID:3676
- - C:\Program Files\HxD\HxD.exe
    "C:\Program Files\HxD\HxD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Program Files\HxD\HxD.exe
      "C:\Program Files\HxD\HxD.exe" /chooselang
      4⤵
      Executes dropped EXE
      PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\HxD\HxD.exe

Filesize
6.6MB

MD5
14fca45f383b3de689d38f45c283f71f

SHA1
5cb16e51c3bb3c63613ffd6d77505db7c5aa4ed6

SHA256
9d460040a454deeb3fe69300fe6b9017350e1efcb1f52f7f14a4702d96cb45ca

SHA512
0014192bd5f0eb8b2cd80042937ccc0228ff19123b10ee938e3b72a080e3f8d3d215f62b68810d4e06b5fad8322d0327dcd17d0a29fd0db570c0cd7da825634c

Download Submit
C:\Program Files\HxD\readme.txt

Filesize
4KB

MD5
0755d4e1fdf379c36369e96f6f6d8fa8

SHA1
f0d81e81e06fb10d2844acdad3a89e32ac624ec2

SHA256
ca4f74de91db68db75a685640957140c42d8d01659c20cf72eb771a0f7bcba2d

SHA512
56982440f67d2a04418e885cccdb9c1916a69ca58564d660fef8a8d88ed74c949b99ddff4da1bf6f654e6f3003488a5e2d3426cf64b055bdd51a423648334e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B1HBA.tmp\HxDSetup.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
C:\Users\Admin\AppData\Roaming\Mael Horz\HxD Hex Editor\HxD Hex Editor.lang

Filesize
3B

MD5
392b810f865591aa5ec210e849ae769f

SHA1
f3fd0c8f2a347e168ef392e38c52f4134987a3a6

SHA256
78b33626b46709ebe04edd99ea813ed291183bebb025ea5e4783ca2260811943

SHA512
5d650d9045243ce2495a845683b3252419bc283fe9ecec85b56de0a179a5df77d8ddf8ccb41ff555043bf1e9a3c9a0a3e1efec17cc2d291b5236589a80df0f04

Download Submit
memory/456-48-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/456-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/456-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/456-3-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2156-52-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download
memory/3028-50-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download
memory/3376-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3376-46-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3376-6-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing