479e5c004a68f65da08a6ff8dd8760292f78e9e297c9b1b7d9e5e2246908e91c

Analysis

max time kernel
16s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03-07-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hngh.exe
Size

25KB
MD5

bc00ab0adc95b522e4b7133938cf81d0
SHA1

c4e2c024ab9b23c514120622a902440c4dbaf0ca
SHA256

479e5c004a68f65da08a6ff8dd8760292f78e9e297c9b1b7d9e5e2246908e91c
SHA512

179719ef290fba2c3d3b0acf78c073df12519481c1935a0e208aaf8ddd99b3ad65692767c7cf950286547b6fbb8f038e69d01c071b225da0453472af21900350
SSDEEP

768:FEHP8lBn3HQVOaGM41v1rbV9/gm3Hrdq:FEHP8lyIr/z/X3g

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.jpg"	hngh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
712	hngh.exe
712	hngh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	712	hngh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 648	712	hngh.exe	73
PID 712 wrote to memory of 648	712	hngh.exe	73
PID 648 wrote to memory of 224	648	csc.exe	74
PID 648 wrote to memory of 224	648	csc.exe	74

C:\Users\Admin\AppData\Local\Temp\hngh.exe
"C:\Users\Admin\AppData\Local\Temp\hngh.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajhi5mle\ajhi5mle.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES691A.tmp" "c:\Users\Admin\AppData\Local\Temp\ajhi5mle\CSC3FEE95706CCA4882825D2CEAE01C73C1.TMP"
    3⤵
    PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES691A.tmp

Filesize
1KB

MD5
39162ba3b1a85912380dcc61887b6875

SHA1
bc085dd92e742ebe7ee0a5e1c5af80e637d123d0

SHA256
f314fbb6e04a73e2e2526d0060d883fa4cc598ff116492ed8dd04c881c461da5

SHA512
7a24ee28998d4d77e41c337f629d3c4656f249c8ad10fa43e30cddee40bc83f8445d20eb14d46772c7ede895ec04f1cbb386d357360159b4562a15696272f1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajhi5mle\ajhi5mle.dll

Filesize
3KB

MD5
122b0cc9a478d783076fb6488872a063

SHA1
a1a4e8fc8280e97c0249a4c0ec6612788691e02f

SHA256
59d41acac4ad200552a5e4069a7a63867cc4b064a8388cc3c9e8fef2d8777279

SHA512
c377af2ff68b3d147eb9466aa6cc78c1c9fa975fbd82988a09f931aba26333b66d8be21fcbb236a9b7b5b0fc13767227f1b39ae4673468027b128abfcd71e8d5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajhi5mle\CSC3FEE95706CCA4882825D2CEAE01C73C1.TMP

Filesize
652B

MD5
d04ddc6152785f8fc4d3c69343e5537f

SHA1
b9e5aea75da9e1f4c0aef47c8d77021c53cb8704

SHA256
58bfdcc6171720d1ee940a49760e7bf45bba3a1481aada5b188b7619af00ee03

SHA512
604f2a0d5c23de1755201d9771a3e7d166abc1c9ba8a57978450f8c33a20456512a79834f2b3e59b22ccd246e2894dfe412b193bd85867eb370677eb4031a553

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajhi5mle\ajhi5mle.0.cs

Filesize
353B

MD5
7e111546c75b3f55a98d97f855753ef6

SHA1
41141d93476ff27e415167f59552b1737fd22b45

SHA256
33e8eb96c710ead9bfe94827efd1e86845e8c1cbb4033ff8e78f860a23e0256b

SHA512
490414e34ba77a976488dcdcb1a2bba3c6c50f38fa91e4a7e189f3ef82e6adf636f10f31084d9d826d013ecc596623c29f639c7bf79cc561ebd9aad9d8189990

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ajhi5mle\ajhi5mle.cmdline

Filesize
369B

MD5
3a1eb0269abf3b258bcef1986d13b6bd

SHA1
bb143b3b4c8d9dc50feb86e856f500b20811aa1e

SHA256
b6e4ada716e0aea1c78a7c371dc87779cf6f9aca7a73dc0406341ad4fb9499b0

SHA512
7e02e42c38faaefb3f1cdd72bbe32a10ae82a736b4076eac63f9676433bbf0348493bc07eba8ed8ab475ea82069acec6ac94391c4725c0ae7a945c352f0c1d54

Download Submit
memory/712-5-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/712-0-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

Filesize
4KB

Download
memory/712-4-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download
memory/712-3-0x000000001C800000-0x000000001C876000-memory.dmp

Filesize
472KB

Download
memory/712-2-0x0000000003140000-0x0000000003162000-memory.dmp

Filesize
136KB

Download
memory/712-1-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/712-19-0x0000000003180000-0x0000000003188000-memory.dmp

Filesize
32KB

Download
memory/712-23-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

Filesize
9.9MB

Download