c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee

Analysis

max time kernel
152s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
Size

156KB
MD5

83d4afe9147bf089e7128fb2eeffa623
SHA1

4541eec0c5e5279576de181e6f48bd4394a473d3
SHA256

c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee
SHA512

006a9d86d55d3c4cd23f6298c2ee1db7b3d4502b00e6a4646305c971239b052b95e5014e53e7b8a0a4545e097de5936576c2fb579ab8f17bdc6eabe38f8ff58b
SSDEEP

3072:X0O2OWj5h3QKWXXWXG8FF7K+AmsgE5kEZZZy6x8z4oQZiEe29:7WjX3QKKXWFFF7KlgaS/WwI

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	heaxe.exe

Executes dropped EXE 1 IoCs

pid	Process
944	heaxe.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /R"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /C"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /k"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /S"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /x"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /z"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /K"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /g"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /o"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /Z"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /H"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /m"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /a"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /f"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /n"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /Y"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /O"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /d"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /A"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /e"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /G"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /F"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /r"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /h"	heaxe.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /N"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /P"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /u"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /p"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /w"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /l"	heaxe.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /I"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /U"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /D"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /B"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /c"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /V"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /X"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /L"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /W"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /t"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /S"	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /j"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /s"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /y"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /q"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /Q"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /T"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /J"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /v"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /b"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /E"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /M"	heaxe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\heaxe = "C:\\Users\\Admin\\heaxe.exe /i"	heaxe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe
944	heaxe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
944	heaxe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 944	1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe	27
PID 1528 wrote to memory of 944	1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe	27
PID 1528 wrote to memory of 944	1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe	27
PID 1528 wrote to memory of 944	1528	c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe	27

C:\Users\Admin\AppData\Local\Temp\c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe
"C:\Users\Admin\AppData\Local\Temp\c986876554795ea2f993e79d06b33ac4e07cdde76d90e937a94fe502b3deeaee.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\heaxe.exe
  "C:\Users\Admin\heaxe.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\heaxe.exe

Filesize
156KB

MD5
1ef5e7c9928cee2fab2e0652294c6ba8

SHA1
900c971d1b93becc3b37f3904a6c2e9597ca607a

SHA256
a7ecebd9c8f6c085c598e4e1235e4957f05636ec5a2d7d94a03122c5ae1871c6

SHA512
4c1722efb549b95cc7a8de4817623920c61dbc20ab29100a98df7befb74344573765f1f80acffb0c904fff903a7f35ff9165060e9c3b4c3565babf4b68e73045

Download Submit
C:\Users\Admin\heaxe.exe

Filesize
156KB

MD5
1ef5e7c9928cee2fab2e0652294c6ba8

SHA1
900c971d1b93becc3b37f3904a6c2e9597ca607a

SHA256
a7ecebd9c8f6c085c598e4e1235e4957f05636ec5a2d7d94a03122c5ae1871c6

SHA512
4c1722efb549b95cc7a8de4817623920c61dbc20ab29100a98df7befb74344573765f1f80acffb0c904fff903a7f35ff9165060e9c3b4c3565babf4b68e73045

Download Submit
\Users\Admin\heaxe.exe

Filesize
156KB

MD5
1ef5e7c9928cee2fab2e0652294c6ba8

SHA1
900c971d1b93becc3b37f3904a6c2e9597ca607a

SHA256
a7ecebd9c8f6c085c598e4e1235e4957f05636ec5a2d7d94a03122c5ae1871c6

SHA512
4c1722efb549b95cc7a8de4817623920c61dbc20ab29100a98df7befb74344573765f1f80acffb0c904fff903a7f35ff9165060e9c3b4c3565babf4b68e73045

Download Submit
\Users\Admin\heaxe.exe

Filesize
156KB

MD5
1ef5e7c9928cee2fab2e0652294c6ba8

SHA1
900c971d1b93becc3b37f3904a6c2e9597ca607a

SHA256
a7ecebd9c8f6c085c598e4e1235e4957f05636ec5a2d7d94a03122c5ae1871c6

SHA512
4c1722efb549b95cc7a8de4817623920c61dbc20ab29100a98df7befb74344573765f1f80acffb0c904fff903a7f35ff9165060e9c3b4c3565babf4b68e73045

Download Submit
memory/944-59-0x0000000000000000-mapping.dmp

Download
memory/1528-56-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download