9d6fa0924b1af1e34d01ecf998135140d96ea73bcf1fe28941f66e1ba3f7d9bf

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
07-11-2023 12:49

Target

hahaha.exe
Size

2.3MB
MD5

d28dc0c7e546e8f0e4ac5b9106d72fda
SHA1

1d6720b2e4bfe813adfbe2b45e9554e3b4b08542
SHA256

9d6fa0924b1af1e34d01ecf998135140d96ea73bcf1fe28941f66e1ba3f7d9bf
SHA512

e279c197f83cf0bbcedead49f7efa7d8176187740b6f145f1058c714ab2fb7c250aee01b8f8dd625bcd1d7b5d50dd5c5c9e82409a1d06885d026f014b9c9ba7e
SSDEEP

49152:nkWk5cS7a+9XYaQ6Zehc4mTYJ78V9gyBn4czPfmP/SA8N:fajJhZ942KQV9hp44PfmP/SA8

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

hahaha.exe

pid process

1676 hahaha.exe
1676 hahaha.exe
1676 hahaha.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

hahaha.exe

description	pid	process	target process
PID 1676 wrote to memory of 1972	1676	hahaha.exe	cmd.exe
PID 1676 wrote to memory of 1972	1676	hahaha.exe	cmd.exe
PID 1676 wrote to memory of 1972	1676	hahaha.exe	cmd.exe
PID 1676 wrote to memory of 1972	1676	hahaha.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\hahaha.exe
"C:\Users\Admin\AppData\Local\Temp\hahaha.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\
  2⤵
  PID:1972

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact