Overview

overview

8

Static

static

4af4cf798b...99.exe

windows7-x64

8

4af4cf798b...99.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 12:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4af4cf798bb8c62b41003346fb1eacc9fa81ddbb3be4180081fd7aad523e2a99.exe

  • Size

    981KB

  • MD5

    227689dad5d92ea88d0952326e8abec6

  • SHA1

    ce27248fae3e22d6fe646706a661440c020bf17f

  • SHA256

    4af4cf798bb8c62b41003346fb1eacc9fa81ddbb3be4180081fd7aad523e2a99

  • SHA512

    c7a09a61c5eadb54fda443c06133602997523ee4479449ea005db8e8e219d23ed95e0967b2c19751c567a5d30451a820c2eb677b6efac49d94f0375ebd3ea0ae

  • SSDEEP

    24576:R79VyVQaHtu8QgS2jonMB5hAMz538xSIPBu+:R7z9aHtuyxonMZMBu+

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4af4cf798bb8c62b41003346fb1eacc9fa81ddbb3be4180081fd7aad523e2a99.exe
    "C:\Users\Admin\AppData\Local\Temp\4af4cf798bb8c62b41003346fb1eacc9fa81ddbb3be4180081fd7aad523e2a99.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Program Files (x86)\haokan\haokan.exe
      "C:\Program Files (x86)\haokan\haokan.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Internet Explorer start page
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4280

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\haokan\ExtMenu.fnr
          Filesize

          188KB

          MD5

          815f7b24563a687ac83d177487463171

          SHA1

          3fa8bcd99cebee884856c99f95f85f409fccd4ca

          SHA256

          60b2b63afe9f1f8b30acd7d947665c45907006a557e217f2df606345459abdc3

          SHA512

          1f72231f285db33ac074bace4c0c9577f806378a695e2db07a7fd4e1327e51886cc04b9b83b61e3abf349c6cfc6014cee5a78b6c867f7dc91a63ebfe461595b2

          Download Submit

        • C:\Program Files (x86)\haokan\ExtMenu.fnr
          Filesize

          188KB

          MD5

          815f7b24563a687ac83d177487463171

          SHA1

          3fa8bcd99cebee884856c99f95f85f409fccd4ca

          SHA256

          60b2b63afe9f1f8b30acd7d947665c45907006a557e217f2df606345459abdc3

          SHA512

          1f72231f285db33ac074bace4c0c9577f806378a695e2db07a7fd4e1327e51886cc04b9b83b61e3abf349c6cfc6014cee5a78b6c867f7dc91a63ebfe461595b2

          Download Submit

        • C:\Program Files (x86)\haokan\ExtMenu.fnr
          Filesize

          188KB

          MD5

          815f7b24563a687ac83d177487463171

          SHA1

          3fa8bcd99cebee884856c99f95f85f409fccd4ca

          SHA256

          60b2b63afe9f1f8b30acd7d947665c45907006a557e217f2df606345459abdc3

          SHA512

          1f72231f285db33ac074bace4c0c9577f806378a695e2db07a7fd4e1327e51886cc04b9b83b61e3abf349c6cfc6014cee5a78b6c867f7dc91a63ebfe461595b2

          Download Submit

        • C:\Program Files (x86)\haokan\WebBrowser2.fne
          Filesize

          244KB

          MD5

          58573357ee1781c12923b83750b80fb6

          SHA1

          0ed04679def908617e681dc5f1735b0d9b029089

          SHA256

          5338dfb53de32b1c9c5b1dcdbc0e8fe2431679e86248b19ce36b6fa1e56f5e6a

          SHA512

          ec7c68b52d15e75c447b14799ad4e3105644ed502d6014b414a254eb2309117527ffaf5ed030b6cb42f5e3e8acb866e16509e2bf16b463361a9e364a50d27d00

          Download Submit

        • C:\Program Files (x86)\haokan\WebBrowser2.fne
          Filesize

          244KB

          MD5

          58573357ee1781c12923b83750b80fb6

          SHA1

          0ed04679def908617e681dc5f1735b0d9b029089

          SHA256

          5338dfb53de32b1c9c5b1dcdbc0e8fe2431679e86248b19ce36b6fa1e56f5e6a

          SHA512

          ec7c68b52d15e75c447b14799ad4e3105644ed502d6014b414a254eb2309117527ffaf5ed030b6cb42f5e3e8acb866e16509e2bf16b463361a9e364a50d27d00

          Download Submit

        • C:\Program Files (x86)\haokan\WebBrowser2.fne
          Filesize

          244KB

          MD5

          58573357ee1781c12923b83750b80fb6

          SHA1

          0ed04679def908617e681dc5f1735b0d9b029089

          SHA256

          5338dfb53de32b1c9c5b1dcdbc0e8fe2431679e86248b19ce36b6fa1e56f5e6a

          SHA512

          ec7c68b52d15e75c447b14799ad4e3105644ed502d6014b414a254eb2309117527ffaf5ed030b6cb42f5e3e8acb866e16509e2bf16b463361a9e364a50d27d00

          Download Submit

        • C:\Program Files (x86)\haokan\downlib.fne
          Filesize

          248KB

          MD5

          3cc74df6e36d7061de07cea1f811b767

          SHA1

          e46593b994186840845b5c896057a8b97544c71d

          SHA256

          947aa58d30023718a3fc9848f20a29611f54299205728eff377cefafc7672304

          SHA512

          7a5c1d624f708a4992acffebcc344e730b327fb5f73495b33b50477ccf8da7c97a5f6b68d96f8e80d7349df2bec6bed27bd7884ae560df8a51fad89e8ff8336e

          Download Submit

        • C:\Program Files (x86)\haokan\downlib.fne
          Filesize

          248KB

          MD5

          3cc74df6e36d7061de07cea1f811b767

          SHA1

          e46593b994186840845b5c896057a8b97544c71d

          SHA256

          947aa58d30023718a3fc9848f20a29611f54299205728eff377cefafc7672304

          SHA512

          7a5c1d624f708a4992acffebcc344e730b327fb5f73495b33b50477ccf8da7c97a5f6b68d96f8e80d7349df2bec6bed27bd7884ae560df8a51fad89e8ff8336e

          Download Submit

        • C:\Program Files (x86)\haokan\downlib.fne
          Filesize

          248KB

          MD5

          3cc74df6e36d7061de07cea1f811b767

          SHA1

          e46593b994186840845b5c896057a8b97544c71d

          SHA256

          947aa58d30023718a3fc9848f20a29611f54299205728eff377cefafc7672304

          SHA512

          7a5c1d624f708a4992acffebcc344e730b327fb5f73495b33b50477ccf8da7c97a5f6b68d96f8e80d7349df2bec6bed27bd7884ae560df8a51fad89e8ff8336e

          Download Submit

        • C:\Program Files (x86)\haokan\edroptarget.fne
          Filesize

          156KB

          MD5

          ca77aec89bd2f81bbef77ff26b88148a

          SHA1

          27e8eb70f218d5d085344fce21653dc31e0dda29

          SHA256

          1eaf42e6c734eb332f0edf7d3cf7c408f72b3267ae5408675d3604a6b23319d2

          SHA512

          985592f5a0c5916b1dc83079f17abb0fb4fb20aeb8b9a9d6ffd1b196eeda45d5d2393654cee3e6c1405d431f2fd55403ce734d75a948fdc56fea2d67217067cf

          Download Submit

        • C:\Program Files (x86)\haokan\edroptarget.fne
          Filesize

          156KB

          MD5

          ca77aec89bd2f81bbef77ff26b88148a

          SHA1

          27e8eb70f218d5d085344fce21653dc31e0dda29

          SHA256

          1eaf42e6c734eb332f0edf7d3cf7c408f72b3267ae5408675d3604a6b23319d2

          SHA512

          985592f5a0c5916b1dc83079f17abb0fb4fb20aeb8b9a9d6ffd1b196eeda45d5d2393654cee3e6c1405d431f2fd55403ce734d75a948fdc56fea2d67217067cf

          Download Submit

        • C:\Program Files (x86)\haokan\edroptarget.fne
          Filesize

          156KB

          MD5

          ca77aec89bd2f81bbef77ff26b88148a

          SHA1

          27e8eb70f218d5d085344fce21653dc31e0dda29

          SHA256

          1eaf42e6c734eb332f0edf7d3cf7c408f72b3267ae5408675d3604a6b23319d2

          SHA512

          985592f5a0c5916b1dc83079f17abb0fb4fb20aeb8b9a9d6ffd1b196eeda45d5d2393654cee3e6c1405d431f2fd55403ce734d75a948fdc56fea2d67217067cf

          Download Submit

        • C:\Program Files (x86)\haokan\haokan.exe
          Filesize

          322KB

          MD5

          3f2a6a658631992fa5b1f0113cdf150a

          SHA1

          30d9fa541756847603c1c4e2dc96e382d3ff39ed

          SHA256

          d46f0c36ff62e446f2a4432f62b942935ab400283ed9ab19860a50f9d2fe7107

          SHA512

          d52e6b633d84d6768f49e5ad2d42f251c76faeaf076f8b3aa819d6260ed683aad1ab3409cb85b257b36856ffbdae1e4d2ea88c3fdca6582aaaf0c21aabf53c62

          Download Submit

        • C:\Program Files (x86)\haokan\haokan.exe
          Filesize

          322KB

          MD5

          3f2a6a658631992fa5b1f0113cdf150a

          SHA1

          30d9fa541756847603c1c4e2dc96e382d3ff39ed

          SHA256

          d46f0c36ff62e446f2a4432f62b942935ab400283ed9ab19860a50f9d2fe7107

          SHA512

          d52e6b633d84d6768f49e5ad2d42f251c76faeaf076f8b3aa819d6260ed683aad1ab3409cb85b257b36856ffbdae1e4d2ea88c3fdca6582aaaf0c21aabf53c62

          Download Submit

        • C:\Program Files (x86)\haokan\iext.fnr
          Filesize

          216KB

          MD5

          3f1b2b497172b65f7bb15453d0d93de0

          SHA1

          e24556e47ced0b6ae6b89a5e280b83e15ed42e8a

          SHA256

          4f9ad22aa55455f56619e76a01afeb337e1f28f61c7dde5869eb2a6d8776581e

          SHA512

          8837e6108ffde548674487c5ebba3e3dbee8bfafa5727470d3ebaeec039baefc6dc3d756a199f4fb334754985288f0a5577b32eb41fbd69295fc9681354cd3f2

          Download Submit

        • C:\Program Files (x86)\haokan\iext.fnr
          Filesize

          216KB

          MD5

          3f1b2b497172b65f7bb15453d0d93de0

          SHA1

          e24556e47ced0b6ae6b89a5e280b83e15ed42e8a

          SHA256

          4f9ad22aa55455f56619e76a01afeb337e1f28f61c7dde5869eb2a6d8776581e

          SHA512

          8837e6108ffde548674487c5ebba3e3dbee8bfafa5727470d3ebaeec039baefc6dc3d756a199f4fb334754985288f0a5577b32eb41fbd69295fc9681354cd3f2

          Download Submit

        • C:\Program Files (x86)\haokan\iext.fnr
          Filesize

          216KB

          MD5

          3f1b2b497172b65f7bb15453d0d93de0

          SHA1

          e24556e47ced0b6ae6b89a5e280b83e15ed42e8a

          SHA256

          4f9ad22aa55455f56619e76a01afeb337e1f28f61c7dde5869eb2a6d8776581e

          SHA512

          8837e6108ffde548674487c5ebba3e3dbee8bfafa5727470d3ebaeec039baefc6dc3d756a199f4fb334754985288f0a5577b32eb41fbd69295fc9681354cd3f2

          Download Submit

        • C:\Program Files (x86)\haokan\iext2.fne
          Filesize

          492KB

          MD5

          dba5fdbe7ec94463b3f6fdf2162c9f95

          SHA1

          a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

          SHA256

          a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

          SHA512

          325439bb5fe0e18e08cd547e9e9d505aa5b1ee51a436cb155254cfb04d318679e7a016cc2e72ffaba49bed20e15e85b26fd2a22e726e211650317218dde53ba6

          Download Submit

        • C:\Program Files (x86)\haokan\iext2.fne
          Filesize

          492KB

          MD5

          dba5fdbe7ec94463b3f6fdf2162c9f95

          SHA1

          a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

          SHA256

          a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

          SHA512

          325439bb5fe0e18e08cd547e9e9d505aa5b1ee51a436cb155254cfb04d318679e7a016cc2e72ffaba49bed20e15e85b26fd2a22e726e211650317218dde53ba6

          Download Submit

        • C:\Program Files (x86)\haokan\iext2.fne
          Filesize

          492KB

          MD5

          dba5fdbe7ec94463b3f6fdf2162c9f95

          SHA1

          a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

          SHA256

          a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

          SHA512

          325439bb5fe0e18e08cd547e9e9d505aa5b1ee51a436cb155254cfb04d318679e7a016cc2e72ffaba49bed20e15e85b26fd2a22e726e211650317218dde53ba6

          Download Submit

        • C:\Program Files (x86)\haokan\krnln.fnr
          Filesize

          1.0MB

          MD5

          44e2ca67c060fbe3dc0d030149f5a478

          SHA1

          5df61eb626bc3849893701942114609c1086d496

          SHA256

          6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

          SHA512

          1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

          Download Submit

        • C:\Program Files (x86)\haokan\krnln.fnr
          Filesize

          1.0MB

          MD5

          44e2ca67c060fbe3dc0d030149f5a478

          SHA1

          5df61eb626bc3849893701942114609c1086d496

          SHA256

          6ced19283dbbb95f264448f380592f4e98ba8228efca2f68821ab3ae61029d93

          SHA512

          1a348c7585d78dd68c1d0e059ea1d7cea57c1aeff734f834f75025719b9fdd0e9bb16aebe75e15502a1b83106387eaa9493b8990999e0a68b62c1afdbc8cf45e

          Download Submit

        • memory/4280-151-0x0000000003B40000-0x0000000003B6A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/4280-161-0x00000000041E0000-0x0000000004221000-memory.dmp

          Filesize

          260KB

          Download

        • memory/4280-156-0x0000000004170000-0x00000000041AF000-memory.dmp

          Filesize

          252KB

          Download

        • memory/4280-166-0x0000000004F80000-0x0000000004FC2000-memory.dmp

          Filesize

          264KB

          Download

        • memory/4280-146-0x0000000003ED0000-0x0000000003F5B000-memory.dmp

          Filesize

          556KB

          Download

        • memory/4280-143-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

          Download

        • memory/4280-140-0x0000000003AC0000-0x0000000003B04000-memory.dmp

          Filesize

          272KB

          Download