d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc

Analysis

max time kernel
190s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
Size

88KB
MD5

5c628a984fa7f8d55e59db17bf7c56e0
SHA1

0a7f15f7b4e3d88c8a2fac1407ed60557d5a66c7
SHA256

d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc
SHA512

70f42e17875b8c39de9096641f351c332eb5e25e763c323505b03a9f2f544bda4237e62b72144f2855ec3669616a8e3c628ee68585a683d8dab12f044f9ac9b0
SSDEEP

768:HH6jxOJETcWGIHpFeh6RM1rA8dOsk7jbqqRkA5okK1DfsvtDzsXjLft+9o1Jz:HHcx/AQLFUnzJA5o9BfItDoXjLl0+z

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	haari.exe

Executes dropped EXE 1 IoCs

pid	Process
4300	haari.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /u"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /d"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /y"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /r"	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /c"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /m"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /n"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /e"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /k"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /j"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /z"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /b"	haari.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /w"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /g"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /r"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /a"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /p"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /l"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /o"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /t"	haari.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /i"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /q"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /f"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /x"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /v"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /s"	haari.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haari = "C:\\Users\\Admin\\haari.exe /h"	haari.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe
4300	haari.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
4300	haari.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4300	4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe	81
PID 4676 wrote to memory of 4300	4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe	81
PID 4676 wrote to memory of 4300	4676	d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe	81

C:\Users\Admin\AppData\Local\Temp\d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe
"C:\Users\Admin\AppData\Local\Temp\d33c941606d3e131ad124a0050d42e8ce74e10b4c3422ae1941c00759740f4cc.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Users\Admin\haari.exe
  "C:\Users\Admin\haari.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\haari.exe

Filesize
88KB

MD5
3d22ddca428730134e016331a6bd128f

SHA1
44890c649a52d508525418a391a108b9e8d0595f

SHA256
d41d988caa6d22730ee7ee4ce701c28fa00c68658e68b7eb65637b03fdff695d

SHA512
799955eb13621d806913644fee5640ec2519fe3b3e2d03bccea04a5adb7841bfb7da95ca91eccac6af6fa1f394e35efdf384af18db62c14228c69b1bf46b1e7b

Download Submit
C:\Users\Admin\haari.exe

Filesize
88KB

MD5
3d22ddca428730134e016331a6bd128f

SHA1
44890c649a52d508525418a391a108b9e8d0595f

SHA256
d41d988caa6d22730ee7ee4ce701c28fa00c68658e68b7eb65637b03fdff695d

SHA512
799955eb13621d806913644fee5640ec2519fe3b3e2d03bccea04a5adb7841bfb7da95ca91eccac6af6fa1f394e35efdf384af18db62c14228c69b1bf46b1e7b

Download Submit