2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b

General

Target

2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe
Size

260KB
MD5

5747e1a808e070a884a78b672f661b00
SHA1

29a67bb88034f42f5e35b4d5d1c6f40f69b36fd2
SHA256

2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b
SHA512

f312179f2439ad691f9b9bdfae89edece04a89412b2c90229d5df32fc7cc90d7e1820781abaa366e65deb8669755d3f77947b899a4d3969c81e2f972a8bb6e5e
SSDEEP

6144:nd7IgTSrMaIl/jcLijfHFEHWzXvjT85R:npNTSrMaIqLlI/H85R

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

heeyee.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	heeyee.exe

Executes dropped EXE 1 IoCs

Processes:

heeyee.exe

pid process

1184 heeyee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

heeyee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /A"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /T"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /C"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /p"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /w"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /Q"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /y"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /c"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /d"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /W"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /Y"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /n"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /k"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /S"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /G"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /e"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /Z"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /h"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /u"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /U"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /t"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /L"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /j"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /r"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /I"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /z"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /R"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /P"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /F"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /J"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /X"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /o"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /s"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /K"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /f"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /l"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /x"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /B"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /b"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /V"	heeyee.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /g"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /N"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /i"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /v"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /a"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /m"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /O"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /q"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /H"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /M"	heeyee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heeyee = "C:\\Users\\Admin\\heeyee.exe /E"	heeyee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

heeyee.exe

pid	process
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe
1184	heeyee.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exeheeyee.exe

pid process

4744 2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe
1184 heeyee.exe

pid	process
4744	2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe
1184	heeyee.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe

description	pid	process	target process
PID 4744 wrote to memory of 1184	4744	2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe	heeyee.exe
PID 4744 wrote to memory of 1184	4744	2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe	heeyee.exe
PID 4744 wrote to memory of 1184	4744	2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe	heeyee.exe

C:\Users\Admin\AppData\Local\Temp\2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe
"C:\Users\Admin\AppData\Local\Temp\2c0b1452a2040ef98befc67dafa820318bf681a83b283f6907cbe8ae4819bd7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744

C:\Users\Admin\heeyee.exe
"C:\Users\Admin\heeyee.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\heeyee.exe

Filesize
260KB

MD5
25890197810a8f81d6c7a070cfd1948c

SHA1
363efcf15a51a05f66c5274cb76425c2ea419cfb

SHA256
bba5b610acdea051ba12badaffa2cde30d35dff24f477b4e6dfe1f9f2ed52034

SHA512
c7824a8f07151421d3ff07162434310058cbe611d8c7204792df0574fc1b67363dc1b676a1e80a5af11363e458955a3bf9bd9b5eface687a21b0c93402091006

Download Submit
C:\Users\Admin\heeyee.exe

Filesize
260KB

MD5
25890197810a8f81d6c7a070cfd1948c

SHA1
363efcf15a51a05f66c5274cb76425c2ea419cfb

SHA256
bba5b610acdea051ba12badaffa2cde30d35dff24f477b4e6dfe1f9f2ed52034

SHA512
c7824a8f07151421d3ff07162434310058cbe611d8c7204792df0574fc1b67363dc1b676a1e80a5af11363e458955a3bf9bd9b5eface687a21b0c93402091006

Download Submit
memory/1184-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads