Analysis
-
max time kernel
202s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 15:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0454a4dfeee4dac8ebe4856f297c81c1.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0454a4dfeee4dac8ebe4856f297c81c1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0454a4dfeee4dac8ebe4856f297c81c1.exe
-
Size
48KB
-
MD5
0454a4dfeee4dac8ebe4856f297c81c1
-
SHA1
bc158a5f253de248f3642ec95237df5109525960
-
SHA256
30fc472a863550006d6cfccd012c10d9e5781c106929f0c83b260f37b2c1b40f
-
SHA512
919e1eefdc814876eb0a52e262fe209dd76a221b1085eac8ff8eff02c0aa91bf4614da05e669791fbf5b2e1f02cae4e1a8c69e4d1bb9b7ac6bf5577a5885abf5
-
SSDEEP
768:JcEJb96hGGAWc7U2xtgTVH7NHaurxmWXOQfwoObuPb77e0:JcEJZWCxml5lXAoO+H79
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" haihaep.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 0454a4dfeee4dac8ebe4856f297c81c1.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 haihaep.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\haihaep = "C:\\Users\\Admin\\haihaep.exe" haihaep.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe 2456 haihaep.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2424 0454a4dfeee4dac8ebe4856f297c81c1.exe 2456 haihaep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2456 2424 0454a4dfeee4dac8ebe4856f297c81c1.exe 94 PID 2424 wrote to memory of 2456 2424 0454a4dfeee4dac8ebe4856f297c81c1.exe 94 PID 2424 wrote to memory of 2456 2424 0454a4dfeee4dac8ebe4856f297c81c1.exe 94 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42 PID 2456 wrote to memory of 2424 2456 haihaep.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\0454a4dfeee4dac8ebe4856f297c81c1.exe"C:\Users\Admin\AppData\Local\Temp\0454a4dfeee4dac8ebe4856f297c81c1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\haihaep.exe"C:\Users\Admin\haihaep.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5b32a8ad2727dc3452d712f426cecfa8d
SHA1db15833513410273990f370d4dd146024449121d
SHA256c456f9e80a473bf8917d78e530250707caea40146e2a043915d3ae92ee1d44c9
SHA512f2e46d565f0aed6027f45229aa581edeab57fe07abb8e1aa058db8904c11f90c82972a896500195ce2a21618e5c7a5d365f0922742fa432656778adaf3cc4b90