6349fd6ed3293a8ec21d5b046e131dc4b6d363d7a91fb6dab276e7127a8afac9

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e17f25ae1349b2e1fb5472d8b1485b4.exe
Size

528KB
MD5

1e17f25ae1349b2e1fb5472d8b1485b4
SHA1

db6583ceaeb7756dc045eee19a03d91685507ecf
SHA256

6349fd6ed3293a8ec21d5b046e131dc4b6d363d7a91fb6dab276e7127a8afac9
SHA512

074ba0c5511839841f437932c67e8fafb13a66ce8512325a959dc0c8a249858a69dd71e622351ac6270f6115e648f4e133d498d227a4701d4ad827675a3a43d3
SSDEEP

12288:D5OHH9t0ATT5FH3B8BXrmBriIgvUJypEYCAK7RlBO4ybC4nTXtn5v53:DIEA/gk7ypzK7RlBO4cCuTdnF53

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hahagame\Skins\冬季恋歌.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\蔚蓝天际.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\828la.exe	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\Office2003.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\青葱岁月.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\Office2003.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\金色年华.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\Office2007.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\兰色沉思.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\冬季恋歌.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\怀旧木纹.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\金属之美.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\灰色轨迹.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\金色年华.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\蔚蓝天际.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\金属之美.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\灰色轨迹.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\简约之美.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\青葱岁月.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\__tmp_rar_sfx_access_check_259394219	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\Office2007.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\兰色沉思.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File created	C:\Program Files (x86)\hahagame\Skins\怀旧木纹.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe
File opened for modification	C:\Program Files (x86)\hahagame\Skins\简约之美.asz	1e17f25ae1349b2e1fb5472d8b1485b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1924	1e17f25ae1349b2e1fb5472d8b1485b4.exe

C:\Users\Admin\AppData\Local\Temp\1e17f25ae1349b2e1fb5472d8b1485b4.exe
"C:\Users\Admin\AppData\Local\Temp\1e17f25ae1349b2e1fb5472d8b1485b4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-24-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download