Analysis
-
max time kernel
148s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 07:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c7eab8583f6e0902b4cae42627d332e.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
5c7eab8583f6e0902b4cae42627d332e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
5c7eab8583f6e0902b4cae42627d332e.exe
-
Size
96KB
-
MD5
5c7eab8583f6e0902b4cae42627d332e
-
SHA1
8ec00504ec21d5d91facf95ff9d42301c3259d2e
-
SHA256
18a13b6b15ef7ea640272f5b4715db3e1758f2ea49ad1223c21b8a13f9fe1c83
-
SHA512
1063ebfc7d804b50d9ec0048e111ca53d38b8445315906cc71eb396b60b51de1b45d028f3b5904808630ece97009d686eec86a31f5c577cecb585e1dbf3fa157
-
SSDEEP
1536:PkUEg52tg9tyVQO8P8ych70wjj3RJNEo/knRzdnynE7RldNEP8lijOezNIjnZ/JM:PZE/tgelych9zR3Ek65RldqzCnpJTo
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5c7eab8583f6e0902b4cae42627d332e.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" haexae.exe -
Executes dropped EXE 1 IoCs
pid Process 2192 haexae.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 5c7eab8583f6e0902b4cae42627d332e.exe 2980 5c7eab8583f6e0902b4cae42627d332e.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /k" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /L" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /K" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /d" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /S" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /P" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /c" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /v" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /e" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /X" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /j" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /Y" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /Z" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /T" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /G" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /M" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /W" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /C" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /A" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /m" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /J" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /i" 5c7eab8583f6e0902b4cae42627d332e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /H" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /s" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /l" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /D" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /q" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /i" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /x" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /y" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /p" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /O" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /R" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /g" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /U" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /r" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /t" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /o" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /N" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /w" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /B" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /a" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /b" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /h" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /u" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /E" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /V" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /f" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /F" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /n" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /Q" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /I" haexae.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\haexae = "C:\\Users\\Admin\\haexae.exe /z" haexae.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 5c7eab8583f6e0902b4cae42627d332e.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe 2192 haexae.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2980 5c7eab8583f6e0902b4cae42627d332e.exe 2192 haexae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2192 2980 5c7eab8583f6e0902b4cae42627d332e.exe 28 PID 2980 wrote to memory of 2192 2980 5c7eab8583f6e0902b4cae42627d332e.exe 28 PID 2980 wrote to memory of 2192 2980 5c7eab8583f6e0902b4cae42627d332e.exe 28 PID 2980 wrote to memory of 2192 2980 5c7eab8583f6e0902b4cae42627d332e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c7eab8583f6e0902b4cae42627d332e.exe"C:\Users\Admin\AppData\Local\Temp\5c7eab8583f6e0902b4cae42627d332e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\haexae.exe"C:\Users\Admin\haexae.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5e30f4925652025d33774215e39a7ef48
SHA17d793b7bd4f1a1f4ed25038f3da39e73b2927790
SHA256f7c55399d67c31b7943653e4eaeca8c0e33b8af4c00b331a63b00118d54b1291
SHA512e390e0a1e763d2544fa6c5ea4c8efc278ac5a9028e7736c19b96e02ca06da68f64b49eef05b7f101977b79db70cb064f01fe7a3c4cd03445ff97e936b6a30f46