26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Size

224KB
MD5

d6a2326d38e4339479ecf19dedf0b84b
SHA1

93ab9d67c04c34eefaceaed1e7770ccf3015e324
SHA256

26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9
SHA512

af4777dd80f70a795705bc56e9158647423b757831b49ea01b5b6dd22cb72ef6c4963f308ba29884ba1f3ad9e9d111f09e8305c08df51d9434cc895dca3324cb
SSDEEP

3072:Hk6kvZjWnE5bqaAF/OVLj4UbaxxmLQTi2//9U33T+NVzo:H1kBm7aAF4RFSs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hauiv.exe

Executes dropped EXE 1 IoCs

pid	Process
2980	hauiv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /o"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /r"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /l"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /a"	hauiv.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /i"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /h"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /f"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /t"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /s"	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /d"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /e"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /k"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /v"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /x"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /q"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /s"	hauiv.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /j"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /z"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /b"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /c"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /w"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /m"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /y"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /n"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /p"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /u"	hauiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hauiv = "C:\\Users\\Admin\\hauiv.exe /g"	hauiv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe
2980	hauiv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
2980	hauiv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2980	4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	78
PID 4644 wrote to memory of 2980	4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	78
PID 4644 wrote to memory of 2980	4644	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	78

C:\Users\Admin\AppData\Local\Temp\26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
"C:\Users\Admin\AppData\Local\Temp\26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\hauiv.exe
  "C:\Users\Admin\hauiv.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hauiv.exe

Filesize
224KB

MD5
5d6094fb17757dc6b83c57c13dd67ac1

SHA1
16a4b2a86c68e0847ff7f897278fa0c9d4448a79

SHA256
5d143454f16061cf1e4020f41e32c749e6002ec12c4c59113c64310920fe5b2a

SHA512
9045ae415641e13e3b5d8b1a7fd829f5e195eeb71ae84e15ba5b48d43dfed2a4978da863d0bc4d0e8d1fd9fecb717ca94af201c43a1bf1e14fdfddea7918bcec

Download Submit
C:\Users\Admin\hauiv.exe

Filesize
224KB

MD5
5d6094fb17757dc6b83c57c13dd67ac1

SHA1
16a4b2a86c68e0847ff7f897278fa0c9d4448a79

SHA256
5d143454f16061cf1e4020f41e32c749e6002ec12c4c59113c64310920fe5b2a

SHA512
9045ae415641e13e3b5d8b1a7fd829f5e195eeb71ae84e15ba5b48d43dfed2a4978da863d0bc4d0e8d1fd9fecb717ca94af201c43a1bf1e14fdfddea7918bcec

Download Submit