5dd94b23ed3c33ea35ec0c0e217a5218eeafd8d7b7e666633e67fe4d664d8e21

Analysis

max time kernel
22s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hoodology.exe
Size

12KB
MD5

d79ff0ce2970694e3a6a652c57ec2ffa
SHA1

a1f77f9bf44dda9a0f56921d4c96dd7d113c7809
SHA256

5dd94b23ed3c33ea35ec0c0e217a5218eeafd8d7b7e666633e67fe4d664d8e21
SHA512

40f6d028859ae42d31644bb70b73465eeb83d855e237684e2ff8ba8efe94ce829b647240573b8fa39516219e8dc330a2e2a4eb2c22b29fe6df32ab83ea0893f2
SSDEEP

192:8+PrZsQgLVWnlCcDZUu7X5mkMeBi1eJVBVYopP:8GZsQgLslNZUuVmiE1edVTp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Hoodology.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	Exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hoodology.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Exe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Exe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	Hoodology.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 2960	1588	Hoodology.exe	91
PID 1588 wrote to memory of 2960	1588	Hoodology.exe	91

C:\Users\Admin\AppData\Local\Temp\Hoodology.exe
"C:\Users\Admin\AppData\Local\Temp\Hoodology.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe
  "C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe

Filesize
630KB

MD5
299f3ad87d7735f5de894404f3e196d2

SHA1
bda74d718fe4f33109c4e8728b6af9d6f158ded1

SHA256
d287ed72f296e8efa3d5be19843735129e62c8529b5e418c7cf5742d8acfddb4

SHA512
18e566696632fa027379d5e4e432ec0f00f83f184068de66429697f624ee21ac7182d9716f06028519d03509acc59ab1fb56cdb5c8d15cc63c2d9cc20b5f3fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
054d008bf3380ca847220cce8928f813

SHA1
9d9cc56ab9421c82138df66187cf46f38cbc3a80

SHA256
9d9c9aadc795cccad4807f9a7bb4afa1dbc4b0352fc87024b02c5697de05c2fd

SHA512
ec244d3efc715801b10d7ef37d0c0c5cab7bd664bc8758bcf2db5f3a92c0161a174cb942c49b37b875a05fdb41a3c6050c588aa1181b38a64cc2596c9772cd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Exe.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hoodology\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
memory/1588-3-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1588-2-0x0000000002960000-0x000000000296A000-memory.dmp

Filesize
40KB

Download
memory/1588-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/1588-1-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1588-5-0x0000000006410000-0x0000000006422000-memory.dmp

Filesize
72KB

Download
memory/1588-478-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2960-471-0x00007FFCEB4D3000-0x00007FFCEB4D5000-memory.dmp

Filesize
8KB

Download
memory/2960-474-0x000001AA1DDA0000-0x000001AA1DFB4000-memory.dmp

Filesize
2.1MB

Download
memory/2960-475-0x00007FFCEB4D0000-0x00007FFCEBF91000-memory.dmp

Filesize
10.8MB

Download
memory/2960-476-0x00007FFCEB4D0000-0x00007FFCEBF91000-memory.dmp

Filesize
10.8MB

Download
memory/2960-472-0x000001AA03480000-0x000001AA03522000-memory.dmp

Filesize
648KB

Download
memory/2960-479-0x00007FFCEB4D0000-0x00007FFCEBF91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads