Analysis

  • max time kernel
    192s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/12/2022, 20:21

General

  • Target

    9f415a4ea18f2edad7c14c85ad20844c2281745d351d53606e6be713e494edaf.exe

  • Size

    264KB

  • MD5

    08b853160667ce3bf4ab021586e13590

  • SHA1

    949b98d8e7755aaf3fea2e9c4cba686f9d9b75c7

  • SHA256

    9f415a4ea18f2edad7c14c85ad20844c2281745d351d53606e6be713e494edaf

  • SHA512

    99662091ab48c6200d7e945ffe7cc137b4faa0ca075a75149e1213aed94873a6695bc50b3c14fa309ed9f97434aed99dd62b9821ee49ebe3d8b419834f23e881

  • SSDEEP

    6144:/FZ8gY0OqFNLVJ6S0lE+6LVjlWPuEwTIwMe/wwU3ch:/zHhNLVJ/nLVjlWPuEwam

Score
10/10

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 58 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f415a4ea18f2edad7c14c85ad20844c2281745d351d53606e6be713e494edaf.exe
    "C:\Users\Admin\AppData\Local\Temp\9f415a4ea18f2edad7c14c85ad20844c2281745d351d53606e6be713e494edaf.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\haamuiq.exe
      "C:\Users\Admin\haamuiq.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:3504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\haamuiq.exe

    Filesize

    264KB

    MD5

    effdb3c0934d8cf83f955cbb6dd8edab

    SHA1

    1a8357366166cb8642b7946de016dfa2a61be3b6

    SHA256

    0ce3c52fa5e7d8001b727a1abbe28629d066e07a48a79f421e3776a363b04735

    SHA512

    2f2d4ad56a35e904adb236bfa62b9e1681633fe6118dc2cb219a7e75435457dee2b291939315f910810554227aae3921618f8e66ca29448dedba006a68387534

  • C:\Users\Admin\haamuiq.exe

    Filesize

    264KB

    MD5

    effdb3c0934d8cf83f955cbb6dd8edab

    SHA1

    1a8357366166cb8642b7946de016dfa2a61be3b6

    SHA256

    0ce3c52fa5e7d8001b727a1abbe28629d066e07a48a79f421e3776a363b04735

    SHA512

    2f2d4ad56a35e904adb236bfa62b9e1681633fe6118dc2cb219a7e75435457dee2b291939315f910810554227aae3921618f8e66ca29448dedba006a68387534