c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188

Analysis

max time kernel
188s
max time network
50s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 22:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe
Size

48KB
MD5

fc39f6fdb793392a98586d104586fbdb
SHA1

aea00aeeaef0804eee3a6db282a2da7fb843a927
SHA256

c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188
SHA512

3711c85e08d22e02608c47a7e29865f6bdef4fd27f1731f0e024378a5e80dd8b211ee7daa81b67903260e7dafd7fc525c46114a2883e883785b80bb22f8145de
SSDEEP

768:0zEJbJ6hRGN+lpalWtgTVH7NHaurxmWXOQfwoObuPb77e0:0zEqRza0ml5lXAoO+H79

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	haihaep.exe

Executes dropped EXE 1 IoCs

pid	Process
752	haihaep.exe

Loads dropped DLL 2 IoCs

pid	Process
944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe
944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	haihaep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\haihaep = "C:\\Users\\Admin\\haihaep.exe"	haihaep.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe
752	haihaep.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe
752	haihaep.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 752	944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe	28
PID 944 wrote to memory of 752	944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe	28
PID 944 wrote to memory of 752	944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe	28
PID 944 wrote to memory of 752	944	c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe	28
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19
PID 752 wrote to memory of 944	752	haihaep.exe	19

C:\Users\Admin\AppData\Local\Temp\c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe
"C:\Users\Admin\AppData\Local\Temp\c1f3cb71eca0214e7f55cd13ca65e9d6e1185c3b6f1699672ecc86c327c77188.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\haihaep.exe
  "C:\Users\Admin\haihaep.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\haihaep.exe

Filesize
48KB

MD5
12ab715c0cff45e089d0782b6b1b85e5

SHA1
1674a9bedd0d6bd597e6e9a2ea1cead348a0a518

SHA256
b2a5ee09d8a73d9a477e68cae35af6bfa5c08e337a572755a78868314cf7819a

SHA512
6656bb676424b85b67175c9ccaa3efed84af7c9ddaa2671bdece920b99c385e8d3e929564eae5d34555dcad5dbfb50b044d597ece7bba8d5f96a961b7b2a81ca

Download Submit
C:\Users\Admin\haihaep.exe

Filesize
48KB

MD5
12ab715c0cff45e089d0782b6b1b85e5

SHA1
1674a9bedd0d6bd597e6e9a2ea1cead348a0a518

SHA256
b2a5ee09d8a73d9a477e68cae35af6bfa5c08e337a572755a78868314cf7819a

SHA512
6656bb676424b85b67175c9ccaa3efed84af7c9ddaa2671bdece920b99c385e8d3e929564eae5d34555dcad5dbfb50b044d597ece7bba8d5f96a961b7b2a81ca

Download Submit
\Users\Admin\haihaep.exe

Filesize
48KB

MD5
12ab715c0cff45e089d0782b6b1b85e5

SHA1
1674a9bedd0d6bd597e6e9a2ea1cead348a0a518

SHA256
b2a5ee09d8a73d9a477e68cae35af6bfa5c08e337a572755a78868314cf7819a

SHA512
6656bb676424b85b67175c9ccaa3efed84af7c9ddaa2671bdece920b99c385e8d3e929564eae5d34555dcad5dbfb50b044d597ece7bba8d5f96a961b7b2a81ca

Download Submit
\Users\Admin\haihaep.exe

Filesize
48KB

MD5
12ab715c0cff45e089d0782b6b1b85e5

SHA1
1674a9bedd0d6bd597e6e9a2ea1cead348a0a518

SHA256
b2a5ee09d8a73d9a477e68cae35af6bfa5c08e337a572755a78868314cf7819a

SHA512
6656bb676424b85b67175c9ccaa3efed84af7c9ddaa2671bdece920b99c385e8d3e929564eae5d34555dcad5dbfb50b044d597ece7bba8d5f96a961b7b2a81ca

Download Submit
memory/944-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download