Overview

overview

7

Static

static

3

HA CRYPTO ....0.exe

windows10-2004-x64

7

HA CRYPTO ...ip.dll

windows10-2004-x64

1

HA CRYPTO ...te.dll

windows10-2004-x64

1

HA CRYPTO ...er.exe

windows10-2004-x64

7

HA CRYPTO ...ha.exe

windows10-2004-x64

1

HA CRYPTO ...ht.dll

windows10-2004-x64

1

HA CRYPTO ...ht.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    60s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HA CRYPTO V1.0/HA CRYPTO V1.0.exe

  • Size

    214KB

  • MD5

    e6e477a66679ae79c895d2feb33cffc4

  • SHA1

    3644b76b669d90ea99d68f4b8a9c3c72a8a7ae04

  • SHA256

    89e7bcd5d477af3ae6dd5aaeb3203e731fb5b4b3de535a428f046e93b56bb258

  • SHA512

    6766a50ccb52d2bacefb4db022418e785ebc9737952b6176a210a35148766b0bf20a14ea8564a625ef587d1b1ef93495639f4792aa335827fc7b6ef28ce137a0

  • SSDEEP

    1536:34lLePESP2Wh3ydtORH4nczOv4RZFrBvDukGIIH5oEJMz:34lLcOWhUttnB4xBvDupIIZlMz

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\HA CRYPTO V1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\HA CRYPTO V1.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\OpenCL\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\OpenCL\Launcher.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
      • C:\Windows\IMF\Windows Services.exe
        "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\IMF\Secure System Shell.exe
          "C:\Windows\IMF\Secure System Shell.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4796
        • C:\Windows\IMF\Runtime Explorer.exe
          "C:\Windows\IMF\Runtime Explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4060
    • C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\OpenCL\ha.exe
      "C:\Users\Admin\AppData\Local\Temp\HA CRYPTO V1.0\OpenCL\ha.exe"
      2⤵
        PID:5096

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dwitb3zc.g1a.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\IMF\Runtime Explorer.exe
      Filesize

      144KB

      MD5

      4a55a159e56c22275bc17ac52903c8fb

      SHA1

      bab7f0bb787146c3a05e329d9003110560101d12

      SHA256

      1bdea1b16e15671768d3016775610c5a4ac20e0a411714fc323c374bc3e773d1

      SHA512

      02b82394f9c737564aed9f34f89acfcb6e8f90487b011c500b6f70d0e4cac05759d024bb57e1b1f9bf44768a904531129d69cfa85ea53d2339bf5c3abaf69b42

      Download Submit

    • C:\Windows\IMF\Runtime Explorer.exe
      Filesize

      144KB

      MD5

      4a55a159e56c22275bc17ac52903c8fb

      SHA1

      bab7f0bb787146c3a05e329d9003110560101d12

      SHA256

      1bdea1b16e15671768d3016775610c5a4ac20e0a411714fc323c374bc3e773d1

      SHA512

      02b82394f9c737564aed9f34f89acfcb6e8f90487b011c500b6f70d0e4cac05759d024bb57e1b1f9bf44768a904531129d69cfa85ea53d2339bf5c3abaf69b42

      Download Submit

    • C:\Windows\IMF\Runtime Explorer.exe
      Filesize

      144KB

      MD5

      4a55a159e56c22275bc17ac52903c8fb

      SHA1

      bab7f0bb787146c3a05e329d9003110560101d12

      SHA256

      1bdea1b16e15671768d3016775610c5a4ac20e0a411714fc323c374bc3e773d1

      SHA512

      02b82394f9c737564aed9f34f89acfcb6e8f90487b011c500b6f70d0e4cac05759d024bb57e1b1f9bf44768a904531129d69cfa85ea53d2339bf5c3abaf69b42

      Download Submit

    • C:\Windows\IMF\Secure System Shell.exe
      Filesize

      45KB

      MD5

      7d0c7359e5b2daa5665d01afdc98cc00

      SHA1

      c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

      SHA256

      f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

      SHA512

      a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

      Download Submit

    • C:\Windows\IMF\Secure System Shell.exe
      Filesize

      45KB

      MD5

      7d0c7359e5b2daa5665d01afdc98cc00

      SHA1

      c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

      SHA256

      f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

      SHA512

      a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

      Download Submit

    • C:\Windows\IMF\Secure System Shell.exe
      Filesize

      45KB

      MD5

      7d0c7359e5b2daa5665d01afdc98cc00

      SHA1

      c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

      SHA256

      f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

      SHA512

      a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

      Download Submit

    • C:\Windows\IMF\Windows Services.exe
      Filesize

      46KB

      MD5

      ad0ce1302147fbdfecaec58480eb9cf9

      SHA1

      874efbc76e5f91bc1425a43ea19400340f98d42b

      SHA256

      2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

      SHA512

      adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

      Download Submit

    • C:\Windows\IMF\Windows Services.exe
      Filesize

      46KB

      MD5

      ad0ce1302147fbdfecaec58480eb9cf9

      SHA1

      874efbc76e5f91bc1425a43ea19400340f98d42b

      SHA256

      2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

      SHA512

      adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

      Download Submit

    • C:\Windows\IMF\Windows Services.exe
      Filesize

      46KB

      MD5

      ad0ce1302147fbdfecaec58480eb9cf9

      SHA1

      874efbc76e5f91bc1425a43ea19400340f98d42b

      SHA256

      2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

      SHA512

      adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

      Download Submit

    • memory/60-186-0x00000000068C0000-0x0000000006936000-memory.dmp

      Filesize

      472KB

      Download

    • memory/60-142-0x0000000005880000-0x0000000005890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/60-187-0x00000000068A0000-0x00000000068BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/60-140-0x0000000000D50000-0x0000000000D64000-memory.dmp

      Filesize

      80KB

      Download

    • memory/60-143-0x0000000005880000-0x0000000005890000-memory.dmp

      Filesize

      64KB

      Download

    • memory/60-141-0x0000000006CE0000-0x0000000006D5E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/2096-237-0x0000000004A10000-0x0000000004A20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2096-215-0x0000000004A10000-0x0000000004A20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2096-202-0x0000000000040000-0x0000000000052000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4700-203-0x0000000007990000-0x00000000079C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4700-226-0x0000000007B30000-0x0000000007B3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4700-163-0x00000000067C0000-0x00000000067DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4700-146-0x0000000002E90000-0x0000000002EC6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4700-161-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4700-232-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4700-150-0x0000000006160000-0x00000000061C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4700-231-0x0000000007E00000-0x0000000007E1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4700-148-0x00000000058F0000-0x0000000005912000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4700-230-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4700-228-0x0000000007D40000-0x0000000007DD6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4700-149-0x0000000006080000-0x00000000060E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4700-162-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4700-204-0x000000006EE30000-0x000000006EE7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4700-214-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4700-147-0x00000000059E0000-0x0000000006008000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4700-216-0x000000007F6F0000-0x000000007F700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4700-217-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4700-218-0x0000000008100000-0x000000000877A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4700-220-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4796-223-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4796-238-0x0000000005820000-0x0000000005830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4796-229-0x0000000005820000-0x0000000005830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4812-138-0x00000000057A0000-0x00000000057F6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4812-134-0x00000000030E0000-0x000000000317C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4812-137-0x00000000031B0000-0x00000000031BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4812-135-0x0000000005BC0000-0x0000000006164000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4812-139-0x00000000055D0000-0x00000000055E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4812-133-0x0000000000BC0000-0x0000000000BFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4812-136-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5096-145-0x00000000004E0000-0x00000000005BA000-memory.dmp

      Filesize

      872KB

      Download

    • memory/5096-160-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5096-235-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5096-236-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5096-164-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download