44d2beb8f1baf8eaa45bb11329e1ce31a42ce8d34ef674f9ef0448ad719af0c9

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

085b8e9398cb3025341cd92de727557e.exe
Size

380KB
MD5

085b8e9398cb3025341cd92de727557e
SHA1

d302dfe43ae3e9da4b810ada55d64a42c1c09b3e
SHA256

44d2beb8f1baf8eaa45bb11329e1ce31a42ce8d34ef674f9ef0448ad719af0c9
SHA512

14eae39743377a41423b7c17dacc569fd5b11edc8c5920025ca459008090d4d5fb7f47effcb456314015f2adca8916ce6740879fa03d5dc87f5fbb5d40087dd3
SSDEEP

6144:oht36K1Zc/jWhvd0yTNxjT0M1zWyjYd/dG:6tKKQeV0C30IzWf8

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	haeevi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	085b8e9398cb3025341cd92de727557e.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	haeevi.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	085b8e9398cb3025341cd92de727557e.exe
2888	085b8e9398cb3025341cd92de727557e.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /w"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /o"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /p"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /k"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /h"	085b8e9398cb3025341cd92de727557e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /j"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /s"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /e"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /f"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /r"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /y"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /v"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /m"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /d"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /n"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /b"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /c"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /h"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /t"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /x"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /u"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /a"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /i"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /l"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /z"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /q"	haeevi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haeevi = "C:\\Users\\Admin\\haeevi.exe /g"	haeevi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	085b8e9398cb3025341cd92de727557e.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe
3008	haeevi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2888	085b8e9398cb3025341cd92de727557e.exe
3008	haeevi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3008	2888	085b8e9398cb3025341cd92de727557e.exe	28
PID 2888 wrote to memory of 3008	2888	085b8e9398cb3025341cd92de727557e.exe	28
PID 2888 wrote to memory of 3008	2888	085b8e9398cb3025341cd92de727557e.exe	28
PID 2888 wrote to memory of 3008	2888	085b8e9398cb3025341cd92de727557e.exe	28

C:\Users\Admin\AppData\Local\Temp\085b8e9398cb3025341cd92de727557e.exe
"C:\Users\Admin\AppData\Local\Temp\085b8e9398cb3025341cd92de727557e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\haeevi.exe
  "C:\Users\Admin\haeevi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\haeevi.exe

Filesize
157KB

MD5
c504a918e49ff1a6c250eef9e2808497

SHA1
c8b97f60a8cdd4140f1c5110b3b092210d9bef21

SHA256
b3a1ce3f7b0a299589af197492d13d6902084b83ff7d19b5ece3f0fba06c2dbb

SHA512
08c4683485eb44fabb371a9ffc65d9a2fa2fb93e594f118f4d6691809b8b4ff4cab2bbfabe691f1086805c4290396dde787dbb88e6d090a44404b1af6131b5d1

Download Submit
\Users\Admin\haeevi.exe

Filesize
380KB

MD5
f5e6e23e793c9641855585db2dffffaf

SHA1
02e6036dd5ec827dddd79bb874ddcd6e1302c7bd

SHA256
5d7356b91f5e626e60ecae92521035a1763e6f50ed6299c99183980f77ade31b

SHA512
fe8c46b0aa32fa588c7f916ee0f0568c5e6e896d2475f85ee295d47f82adc4827294c04d65beb1159e60ae5a7b2824ccbe63bfa2c436b33306e01c52a89a0d9e

Download Submit