c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6

General

Target

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Size

152KB
MD5

42fbccf64541cffa18ba28cd878d3250
SHA1

ae00dd2eef075e74327a1136a35becfeb72d2675
SHA256

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6
SHA512

5778b96b428fc163458d24130d6ede6fbce2263419596b4dcbad1d5d76a7d40078354784be3939aca28e0c58a76a490629c4dec943dc63c4e1f65dad1e87966d
SSDEEP

3072:T3jIpK9xKA9w2p4QZisLaazNiIIkyyqN4oQZiEHPgcF:T3cpKxY+1isuazgfklcWVP3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exehauzaam.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hauzaam.exe

Executes dropped EXE 1 IoCs

Processes:

hauzaam.exe

pid process

1940 hauzaam.exe

pid	process
1940	hauzaam.exe

Loads dropped DLL 2 IoCs

Processes:

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe

pid	process
1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hauzaam.exec1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /c"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /t"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /a"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /g"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /r"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /O"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /T"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /E"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /i"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /S"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /N"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /L"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /D"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /M"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /q"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /V"	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /n"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /d"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /u"	hauzaam.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /z"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /Y"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /J"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /h"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /U"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /x"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /l"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /A"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /G"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /m"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /B"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /C"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /o"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /b"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /K"	hauzaam.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /s"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /k"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /R"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /y"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /X"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /W"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /H"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /f"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /V"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /Z"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /e"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /Q"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /P"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /I"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /j"	hauzaam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauzaam = "C:\\Users\\Admin\\hauzaam.exe /p"	hauzaam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exehauzaam.exe

pid	process
1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe
1940	hauzaam.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exehauzaam.exe

pid process

1784 c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
1940 hauzaam.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe

description	pid	process	target process
PID 1784 wrote to memory of 1940	1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe	hauzaam.exe
PID 1784 wrote to memory of 1940	1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe	hauzaam.exe
PID 1784 wrote to memory of 1940	1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe	hauzaam.exe
PID 1784 wrote to memory of 1940	1784	c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe	hauzaam.exe

C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe
"C:\Users\Admin\AppData\Local\Temp\c1aaf2dd35ca3f2374c391703d0f5c33a30462d5f0b65d39d7ede42dfa9419f6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\hauzaam.exe
"C:\Users\Admin\hauzaam.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hauzaam.exe

Filesize
152KB

MD5
9a4cf8ef359ad3c219fdf9b582f452d1

SHA1
e84d9295f276f3b7bdf53598c9d39ee7fb042441

SHA256
621997a2f2ed8dfe33628987a54c3f7e16390db46766742a31cb6b456b660863

SHA512
0468d310bedf6bb223ac15ba182627836b601e596bc186f4b59dbfff3e4cc6ef9b82382dd5ffe9700ea0d91467ecdd017892967e02fb10e81d53b489d47e7286

Download Submit
C:\Users\Admin\hauzaam.exe

Filesize
152KB

MD5
9a4cf8ef359ad3c219fdf9b582f452d1

SHA1
e84d9295f276f3b7bdf53598c9d39ee7fb042441

SHA256
621997a2f2ed8dfe33628987a54c3f7e16390db46766742a31cb6b456b660863

SHA512
0468d310bedf6bb223ac15ba182627836b601e596bc186f4b59dbfff3e4cc6ef9b82382dd5ffe9700ea0d91467ecdd017892967e02fb10e81d53b489d47e7286

Download Submit
\Users\Admin\hauzaam.exe

Filesize
152KB

MD5
9a4cf8ef359ad3c219fdf9b582f452d1

SHA1
e84d9295f276f3b7bdf53598c9d39ee7fb042441

SHA256
621997a2f2ed8dfe33628987a54c3f7e16390db46766742a31cb6b456b660863

SHA512
0468d310bedf6bb223ac15ba182627836b601e596bc186f4b59dbfff3e4cc6ef9b82382dd5ffe9700ea0d91467ecdd017892967e02fb10e81d53b489d47e7286

Download Submit
\Users\Admin\hauzaam.exe

Filesize
152KB

MD5
9a4cf8ef359ad3c219fdf9b582f452d1

SHA1
e84d9295f276f3b7bdf53598c9d39ee7fb042441

SHA256
621997a2f2ed8dfe33628987a54c3f7e16390db46766742a31cb6b456b660863

SHA512
0468d310bedf6bb223ac15ba182627836b601e596bc186f4b59dbfff3e4cc6ef9b82382dd5ffe9700ea0d91467ecdd017892967e02fb10e81d53b489d47e7286

Download Submit
memory/1784-56-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1940-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads