Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2e4838193f9ea687b28c964e40d8c1e9.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2e4838193f9ea687b28c964e40d8c1e9.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2e4838193f9ea687b28c964e40d8c1e9.exe
-
Size
204KB
-
MD5
2e4838193f9ea687b28c964e40d8c1e9
-
SHA1
ecd858ce508b20da22f448d9335c3698a7c8614b
-
SHA256
b07ba6a8c0f54ad6dbfd01e89a2ab3275c2b325d7dd7c1b33bc19b5378914c50
-
SHA512
9a9ca69514da1528a4d46443b5b897fe08d56564ceed0a15996696caa02f4186d686adf50e77b5c4194cdf71df1d1d89e8cf316dbc828fdf88997ec4bc183a29
-
SSDEEP
3072:FVepCcNp9fvyU+mzihKh8wpzDqulR3X9sDpLg6ZGKIXeYnwlD:FVeVAEV82llbs1g6+Xbw
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2e4838193f9ea687b28c964e40d8c1e9.exe Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" heiril.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 2e4838193f9ea687b28c964e40d8c1e9.exe -
Executes dropped EXE 1 IoCs
pid Process 1340 heiril.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /V" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /j" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /o" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /a" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /d" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /w" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /e" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /m" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /h" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /C" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /c" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /P" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /Z" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /X" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /R" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /u" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /x" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /U" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /q" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /O" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /f" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /A" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /t" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /B" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /r" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /k" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /i" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /y" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /n" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /Q" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /T" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /N" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /F" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /p" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /J" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /W" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /g" 2e4838193f9ea687b28c964e40d8c1e9.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /L" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /E" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /M" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /G" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /s" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /K" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /g" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /v" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /Y" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /b" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /D" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /I" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /S" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /l" heiril.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiril = "C:\\Users\\Admin\\heiril.exe /H" heiril.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe 1340 heiril.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 1340 heiril.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5056 wrote to memory of 1340 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 92 PID 5056 wrote to memory of 1340 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 92 PID 5056 wrote to memory of 1340 5056 2e4838193f9ea687b28c964e40d8c1e9.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e4838193f9ea687b28c964e40d8c1e9.exe"C:\Users\Admin\AppData\Local\Temp\2e4838193f9ea687b28c964e40d8c1e9.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\heiril.exe"C:\Users\Admin\heiril.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5cedb350d4913d12322cc268ff7b799e1
SHA1838145b881f3415632a961167c5ec68d03df9c8d
SHA2561f8dbcc5b96816f073824bd45e13a9a34fdb4cde0582f5980ab73e15efb48d66
SHA512b00783abf5a8a90cf25a404ab4b434b74abce306b20dbf0bf2e2f609de29acf18b368b2438005316d8138ef2c2a37abfec33e0ccdd728ff014c14fff0086fd1f