Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

6

Static

static

1

HAFELE Hot....6.msi

windows10-2004-x64

6

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HAFELE Hotel Locks System Multiple Reception V15.6.msi

  • Size

    2.2MB

  • MD5

    95acdec7c71cece590beaf404f628770

  • SHA1

    bf127586d48f1208d11ff1b5696fc0d44c2f02bf

  • SHA256

    7919453eee5bcd3b4842c99ae790fddfef2e6e0336abccfc19da4bab823b9ed1

  • SHA512

    139ca17aabfddd802fd4a848318c0a492fa9e680bf7486c5e259971928f991fdb9aa0b7fa6217a857ac3e22225d685b9e62a3ca9fe9bf523980dfd5b14cffc60

  • SSDEEP

    49152:5RIMYYyjGXiV2lVDOvEwqDhIAxWgLJnajwhwl0ZrTo+ubcGdd:WYym4mVqvpqIAxWknSco0Zg+od

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\HAFELE Hotel Locks System Multiple Reception V15.6.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1144
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3680
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2052
    • C:\Program Files (x86)\HAFELE\MHS\HTLock.exe
      "C:\Program Files (x86)\HAFELE\MHS\HTLock.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58ab4f.rbs
      Filesize

      9KB

      MD5

      882050974d9e40752b6f2e01157eb5a5

      SHA1

      0efc4a976f594c97cc71d44ad11f69ef36021ab6

      SHA256

      9bc6ef4689f0035f4daef99847f89bffa88cd14dbb9ab2286e4215cd4b3c6b6d

      SHA512

      c253453385b6f885b7b6768ddc22c3e0b3433599ce681fc93c081546e0a6ae9dc54a44a3ecb5b45bf06b7b4d963c0f8f7a55a422acb38d4cd6786f2df7f1488c

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\HTLock.ENU
      Filesize

      2.0MB

      MD5

      24b06816405a034ff70b61a029be8935

      SHA1

      4da8200dbb45d58121ca68c28e8e5895cdf6c9a9

      SHA256

      f38a64af5f3652aa473088411357c6b4a876124d9902b7a53be6d4b0da779ff9

      SHA512

      4d40207d5ebbed38a9ce4ca9e91cdaa18547cebd6c8a2526253672081eefc6b6fa75c906356cd8e5cced4c5104dbd82da576b4c4dc4510b539f2271c40dd41ce

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\HTLock.exe
      Filesize

      4.0MB

      MD5

      e8e794f11d9cadf5427ae9969585ce71

      SHA1

      26e703d961efeccec9c2fdf2d10663595bcb265a

      SHA256

      a0803fa58e9ac35fb2e679b15e51d221958f18c3ea9d45729fe4b47f0d89d171

      SHA512

      780bff548f1de2c56b7064ad316b64d880d0389a9dfa3a007a582839e3ca412f6e7e7a865a8d6a56a29dfa9951dc4ce597175d22239b25d3fb9777d65c06b3b7

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\HTLock.exe
      Filesize

      2.3MB

      MD5

      42bff685fa304ede062d9ecd2a71832c

      SHA1

      3df67c58a21ac404d21aed78b2733471b39d9016

      SHA256

      ea655c84ebf52f7805778853535c5c74c7971e8162b29de79a624027431b70b0

      SHA512

      4f5fa89218af8c00b22c35ae61e1e98ec36859b0f0f2606fe2b64239360de4d5d8fefc2b8adeb08e52c45774cc8d3ad0400875d2ee50e4a6711ca54bcdc29111

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\HTLock.exe
      Filesize

      2.1MB

      MD5

      7cbf4b7059b09729d7661547dd797e42

      SHA1

      fa54435c400eb42ffbdee0620f37c17ea4fc3ca3

      SHA256

      1e4abda12a9b07e15103770f5e72bbc8cdd7e716197205456e9fe285d9f03123

      SHA512

      50f8d5b6c1566dacd0b99be61b3136bcbfebe0cf9fb6815549fbffc651fc343e0af3a8ad1672e2e1db7ef07a44e982afa3e60b034d53a24f64f62b1e02b1a4ff

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\Reader.dll
      Filesize

      41KB

      MD5

      fe9f82b304e0bcb5e22839f0fb01671f

      SHA1

      93b1bd85272f54969a532eb8751897d23f679d07

      SHA256

      bb46b583ce915f88302eb7658f5a22e459a745e52f110eadbfd245d217f4f706

      SHA512

      b9ac1f4422187a18d5438e8aea9610f7688823d2e80c091f2b2d6c501a80f4556fc6ea5cf55cb1dcaad33251a33142eb955725f057ecaf20c16370dab4df4f47

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\TCPReader.dll
      Filesize

      12KB

      MD5

      f7d500a9a20dfd42868454911753d1fb

      SHA1

      4737a793db50418045576334581008440fc4dc7c

      SHA256

      34ac9adfddee50ea19e6d351cacd842213c9256886f89d115601f681f2231ffe

      SHA512

      fdffd64051a17846a890484204f743d4ff23271b9361c59e602bf966ea2efb52c3c96d5ad1afd69c1b3a3e6c7caaee33cc2877d1d7b8e65ad4e44b693963c5e4

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\logo_hafele.bmp
      Filesize

      60KB

      MD5

      078edb0ca5b7345a0d1132ac35ec8b69

      SHA1

      a93fe88a3fde8730ebcdecc7811a3fec69fe47bb

      SHA256

      af9bfcbdb771f6cb2c2ecfb1bcf2facb1eca46d5a606bea7abdb65fe69457f3c

      SHA512

      f985afb1f39648347c563286f9f01cfbc694334c726f11f585f63b463c25fb84baf5b0631e1e9c93e341b001164672e6c5615817f99bfbc50ed7dd6d6d37dc7f

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\oem.ini
      Filesize

      179B

      MD5

      b798ebe72a2ed6128537ce1b490167f2

      SHA1

      74c9fe55bb7a0e9c45b4d7f59370def26ee7ef03

      SHA256

      13f213a72bdc59c3175066b8d3f92cbf3ea397b1b123b5941188d5eba1c2625e

      SHA512

      9ff2d1a82b41e40a88c373e06e10373875ca43289aa32e22f7a4a39922d872dc19bf20ef76ad922aeec8ae93cca84f52df3354024003a3ba385dc5a88886ec70

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\pda.dll
      Filesize

      10KB

      MD5

      505840cf61121f60a0efde400d1d6e64

      SHA1

      ca4db98ae13d13185354dc9b56a3e3797698f394

      SHA256

      1607a5b5504e0c5d081d38c4b6a8d9a8291d4f411241fcb31fd6f0ba7ae16eed

      SHA512

      811ad7b56a03e08e13ca20c8961c20fd5fc28ebcfea853669b95934d8cad40c33c6a94afdf65d619bbd1e453e25b382d6ee56d3d3c627cd76532693f18af359a

      Download Submit

    • C:\Program Files (x86)\HAFELE\MHS\pdav2.dll
      Filesize

      10KB

      MD5

      ad97a6372527f9d5e9729f52c4b4ca0f

      SHA1

      8317d6922a5d31949a1c143e43dc8437c537efab

      SHA256

      2a1039ce4d7932a13bd3d0fb4214c173adac5596c8c482d96dfa09b77b4af0f6

      SHA512

      6109ca172b5d407b056052dc56d60f32c762f8c0f770fdc3f7f24035f5fda536739fd91815734389c6ad5ff949e3d87566d6e135edf22b0c0151f38565e5d642

      Download Submit

    • C:\Windows\Installer\e58ab4e.msi
      Filesize

      2.2MB

      MD5

      95acdec7c71cece590beaf404f628770

      SHA1

      bf127586d48f1208d11ff1b5696fc0d44c2f02bf

      SHA256

      7919453eee5bcd3b4842c99ae790fddfef2e6e0336abccfc19da4bab823b9ed1

      SHA512

      139ca17aabfddd802fd4a848318c0a492fa9e680bf7486c5e259971928f991fdb9aa0b7fa6217a857ac3e22225d685b9e62a3ca9fe9bf523980dfd5b14cffc60

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      21.8MB

      MD5

      0b75f082a91025fb1a856ff377915974

      SHA1

      1ecb1d3fc5e623ee71a863ea2bb2660e65785325

      SHA256

      642117e17506a217977262586bb2b0ed83dd426ce48071a13317088069b22d64

      SHA512

      5e72e6c453815faeec4137684f12b49ea7d3b0836d35a6d5a27b72c8bf4bbc8f17b560a464d350a8f184115f1a4995df813388ad447cad3f793d940f19e64032

      Download Submit

    • \??\Volume{23ef4afe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{291791bc-c383-44a4-bba4-7037d06afba3}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      ddeb9a832cf8af64a80913dc33ed4669

      SHA1

      910f973f43fc2694a18e61b056ccee5dc1b4ea3d

      SHA256

      ae135292e82efe4fedb2224d8d3936734e557bb73eaa5c1e2c09fe30ba34005d

      SHA512

      ae755f42a5554b113d033a7ef0733d3f9fcb33194d8036236df5c985a5fa6cf52d90f2b54f53f294e2246bc9b157b9cd77ccd973d7931937f6d20602a3b85e6d

      Download Submit

    • memory/1268-66-0x0000000002670000-0x0000000002671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1268-72-0x0000000000400000-0x0000000000876000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/1268-73-0x0000000000400000-0x0000000000876000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/1268-74-0x0000000002670000-0x0000000002671000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1268-76-0x0000000000400000-0x0000000000876000-memory.dmp

      Filesize

      4.5MB

      Download

    • memory/1268-77-0x0000000000400000-0x0000000000876000-memory.dmp

      Filesize

      4.5MB

      Download