Analysis
-
max time kernel
150s -
max time network
78s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 03:05
Static task
static1
Behavioral task
behavioral1
Sample
bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe
-
Size
252KB
-
MD5
6127dd2c32d06962240c1d69ca0c09ad
-
SHA1
b963586df5096f0af20c306aca0267b544ccced2
-
SHA256
bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a
-
SHA512
688236c9c03d1df31c3bd4bf2e5e5b54ea76d634af0812c26022e676bb352b5c00a7d7ecfce6a95ed02a81741ac339ebb4d54bc4a8129cf8636251f9036697e1
-
SSDEEP
3072:1rAckx7LaXsWvZ0OgRqTAJcLGGO/xuiEyJeOOeGs5oxnkNzQKWx0:1rLFx/ZLA4PmG6d
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hauiqov.exe -
Executes dropped EXE 1 IoCs
pid Process 1288 hauiqov.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /S" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /b" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /a" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /v" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /q" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /I" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /F" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /e" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /o" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /W" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /L" hauiqov.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /t" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /U" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /h" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /E" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /p" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /Z" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /x" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /j" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /n" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /D" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /s" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /T" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /a" bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /V" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /k" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /c" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /M" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /f" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /u" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /X" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /O" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /y" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /H" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /i" hauiqov.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /d" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /G" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /m" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /A" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /R" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /J" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /g" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /Q" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /w" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /z" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /N" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /P" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /Y" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /K" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /r" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /l" hauiqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\hauiqov = "C:\\Users\\Admin\\hauiqov.exe /B" hauiqov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe 1288 hauiqov.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 1288 hauiqov.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1288 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 26 PID 2016 wrote to memory of 1288 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 26 PID 2016 wrote to memory of 1288 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 26 PID 2016 wrote to memory of 1288 2016 bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe"C:\Users\Admin\AppData\Local\Temp\bc8b419793b3ccc0ef565ba7e0b5e95724a9590cc1578f351b9439d39e72116a.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\hauiqov.exe"C:\Users\Admin\hauiqov.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5ed1b87bd0ecedcf4772c178378313358
SHA13b2a7d34cdcef3341d51fc38e12ba04573cb0099
SHA256d9608e56642c4cff2a0345aa5d3bd4128a13521cc2adf2e28c23852d2078c8ed
SHA512b4038f9c6373f62d29e8f24ad1f5ef00ae3dd64b3b3d22e0f6a538736fa10db76aceb792443e2d68d2c18e09efb61378fa40dc52e66a9c703e9799d39079e33a
-
Filesize
252KB
MD5ed1b87bd0ecedcf4772c178378313358
SHA13b2a7d34cdcef3341d51fc38e12ba04573cb0099
SHA256d9608e56642c4cff2a0345aa5d3bd4128a13521cc2adf2e28c23852d2078c8ed
SHA512b4038f9c6373f62d29e8f24ad1f5ef00ae3dd64b3b3d22e0f6a538736fa10db76aceb792443e2d68d2c18e09efb61378fa40dc52e66a9c703e9799d39079e33a
-
Filesize
252KB
MD5ed1b87bd0ecedcf4772c178378313358
SHA13b2a7d34cdcef3341d51fc38e12ba04573cb0099
SHA256d9608e56642c4cff2a0345aa5d3bd4128a13521cc2adf2e28c23852d2078c8ed
SHA512b4038f9c6373f62d29e8f24ad1f5ef00ae3dd64b3b3d22e0f6a538736fa10db76aceb792443e2d68d2c18e09efb61378fa40dc52e66a9c703e9799d39079e33a
-
Filesize
252KB
MD5ed1b87bd0ecedcf4772c178378313358
SHA13b2a7d34cdcef3341d51fc38e12ba04573cb0099
SHA256d9608e56642c4cff2a0345aa5d3bd4128a13521cc2adf2e28c23852d2078c8ed
SHA512b4038f9c6373f62d29e8f24ad1f5ef00ae3dd64b3b3d22e0f6a538736fa10db76aceb792443e2d68d2c18e09efb61378fa40dc52e66a9c703e9799d39079e33a