Overview

overview

7

Static

static

3

Hatch-1.9.3.exe

windows7-x64

7

Hatch-1.9.3.exe

windows10-2004-x64

7

Resubmissions

23-02-2024 12:12

240223-pdfnssga62 7

22-02-2024 20:44

240222-zjcjfafd56 7

22-02-2024 20:34

240222-zcklgafc76 10

Analysis

  • max time kernel
    1054s
  • max time network
    440s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-02-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hatch-1.9.3.exe

  • Size

    26.1MB

  • MD5

    ee4299c7cd102c07e3e1995909a6e3d2

  • SHA1

    06023c8802d2ea919228be2caac7de7604f29cc5

  • SHA256

    184477c1255104df23974e459338c3b5c6364ff8fa70ebc81765a25762b39d19

  • SHA512

    aed814dbb14833ae06915a44ebc3019f97eb7078a7583c1d1b2245170f672d70c8d411813b0ee1c73f0f32e2e54bba038f57cfbf60c95c46dceac669a30ef0ed

  • SSDEEP

    786432:hqpXhwkzW6IivTQ3ZQj0zkhGxdgl2PHMeAB1i:gpXhLzW61vcGwxdgl2PH1M1i

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Windows\Temp\{E8D03B29-7E18-4EC8-94D7-7147B7D32ADF}\.cr\Hatch-1.9.3.exe
      "C:\Windows\Temp\{E8D03B29-7E18-4EC8-94D7-7147B7D32ADF}\.cr\Hatch-1.9.3.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Hatch-1.9.3.exe" -burn.filehandle.attached=692 -burn.filehandle.self=536
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\.be\Hatch-1.9.3.exe
        "C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\.be\Hatch-1.9.3.exe" -q -burn.elevated BurnPipe.{1F1E352F-DA4C-4B28-B2FF-C1AAEFF20668} {357A93B7-7C6F-43F6-A912-1F0584BE9360} 4268
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe
          "C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" /install /quiet /norestart
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Windows\Temp\{B47B315D-DEE9-468B-B230-382CF1EDD92A}\.cr\VC_redist.x64.exe
            "C:\Windows\Temp\{B47B315D-DEE9-468B-B230-382CF1EDD92A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=408 /install /quiet /norestart
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:4496
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2044
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2244
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
      PID:2988
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e582d46.rbs
      Filesize

      8KB

      MD5

      c7b70f8aac5ab024ab6f8de1b13be582

      SHA1

      f7809a7bb3081a80d4221ba441cf26d7e6bb44dd

      SHA256

      4b8aa15dacfc8ae7035d4ffb57ed34da6690e74ab729f3b86d08da768051ebab

      SHA512

      1974635a63cc6db47be7050bfba31965654e2315f9b09e7578b0ee5bbecc9dc8cf350cc8cb70c69071a001f72da7202383570ab24a959f94e8893731d29919bd

      Download Submit

    • C:\ProgramData\Package Cache\9ADE54D322BE27BFF05D5AFEC8ED44F9B2D9306E\VC_redist.x64.exe
      Filesize

      4.1MB

      MD5

      34dfc8ff6692708c2d61e7cc0bad4d18

      SHA1

      3b0c6cd36e6e07527f0a202bbb86b1e55549772f

      SHA256

      ef0418d47328e465d4d9bbbf2ceff49d8f4bfc44ab5e9a5457a91f7d21cdce11

      SHA512

      ef6bb4f1a17764122e67f2374e6119d9a56406fe1d8b7f9d2856166dfc2d67b43c9d16e0ebbb8ee4312dbd1e365ef595fc8b40d4367e222883ebfd8acfa5bbbc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Hatch_20240223121258_001_Hatch_1.9.3_x64.msi.log
      Filesize

      44KB

      MD5

      0e90dd94a72713a70f494ab745959246

      SHA1

      f3ab1af581be26ddd6800388874c4e91fc0f0144

      SHA256

      6c6ef55ace3b80bacf95067c96684fa198b57cafef2881a908078ee812f737d7

      SHA512

      9fbf82e310c795b62ca691b6f72421ab1a9fea0852e4d0adfc42c6b92cf560c4efe4a6e04bf92452ebc3bc0538340d24f68fed441fd6ee6d20d3f50266ed81bd

      Download Submit

    • C:\Windows\Temp\{7A6510E2-5A8F-4320-B475-A2AC2CD31C0E}\.ba\logo.png
      Filesize

      1KB

      MD5

      d6bd210f227442b3362493d046cea233

      SHA1

      ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

      SHA256

      335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

      SHA512

      464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

      Download Submit

    • C:\Windows\Temp\{7A6510E2-5A8F-4320-B475-A2AC2CD31C0E}\.ba\wixstdba.dll
      Filesize

      191KB

      MD5

      eab9caf4277829abdf6223ec1efa0edd

      SHA1

      74862ecf349a9bedd32699f2a7a4e00b4727543d

      SHA256

      a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

      SHA512

      45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

      Download Submit

    • C:\Windows\Temp\{B47B315D-DEE9-468B-B230-382CF1EDD92A}\.cr\VC_redist.x64.exe
      Filesize

      633KB

      MD5

      60048558e4dfe8710f207f4a6b20b7bf

      SHA1

      bcd0767615e7461f2cd632768b3b88ef1f629397

      SHA256

      7f9f4c81187317e5331c36cd4800449ec6118a76fa60e7307d2ab3ddf1761371

      SHA512

      d90ba1ec137072a1664c9a8ef3e60577d7b816eda6d48188236c6a886b8c8715cae4a844a3fe13911cfb43c65dc22119887380480ddd2fd6bc4014b157086bf6

      Download Submit

    • C:\Windows\Temp\{E8D03B29-7E18-4EC8-94D7-7147B7D32ADF}\.cr\Hatch-1.9.3.exe
      Filesize

      556KB

      MD5

      4c2345b8880621f4912275972806cb53

      SHA1

      44913a723080defd1f9d52ed4d367af0dd26460e

      SHA256

      9df0138713fb10843eb73e547f0aa91932396329a5fe3f8a3cf1f12eddef5bc3

      SHA512

      daa6172d9bd2076cd79402871b3e3b8c8dd2b62e1b54e386fec892a961a1afdd16222d003e8c2777c98bec4593fac385974d1e69f86f4bf0733bd97556415f7d

      Download Submit

    • C:\Windows\Temp\{E8D03B29-7E18-4EC8-94D7-7147B7D32ADF}\.cr\Hatch-1.9.3.exe
      Filesize

      505KB

      MD5

      a5fe80a135deb7ce57fe25261f7c54d3

      SHA1

      5c655b061c0383fffa54cfd849e1ae446a416956

      SHA256

      5a473a85b3ed2bc38777a61494f39e324a907a27a975fbd6ffa2fcf1d0a59045

      SHA512

      94c5b87a5b80247fc4836cb2b1f5e6209b9a9ac812e7aedc637c5b7cdcac40ed2cbedab7ce24957925a71fc6a82f7f9fabedf89acecd23f1960f70fc52ce21c6

      Download Submit

    • C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\.ba\logo.png
      Filesize

      852B

      MD5

      8346e21859a269dccf1e408dc7593cca

      SHA1

      239f10674bf6022854c1f1bf7c91955bde34d3e4

      SHA256

      cd2e8ed1fbb308d9d166f49794d323a9b22efba1033cdf906d1f4b030319e01b

      SHA512

      de9a54e7067fe4feade10f48d7c2bb4169f50efa0b06d3310421376690712af4d55dbc24dc5accc5013379b11abb59cc8c85896fe9f2a7c6a7ea2e28f6feac9f

      Download Submit

    • C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\.ba\wixstdba.dll
      Filesize

      184KB

      MD5

      fe7e0bd53f52e6630473c31299a49fdd

      SHA1

      f706f45768bfb95f4c96dfa0be36df57aa863898

      SHA256

      2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

      SHA512

      feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

      Download Submit

    • C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\Hatch_1.9.3_x64.msi
      Filesize

      2.0MB

      MD5

      14dcbccc567e9df2fdf55e8318d6d40d

      SHA1

      7932d810151f219f14412e8903887446edeb24a5

      SHA256

      0f31f9b776ea8b3cdb4b34188d257e62242f7a5bcb9503155d66620fe643bcae

      SHA512

      5e7dec4f8f3b7f604ebc8e9879d8b870854e80a95a81d9978f20d34c8f036133600e95ab717a55a57737794ecc31735d123a0d6c37436a970c863a34b3272707

      Download Submit

    • C:\Windows\Temp\{F996373E-3D10-4BD4-92AD-21F7A3268485}\VC_redist.x64.exe
      Filesize

      5.2MB

      MD5

      a53b03df6754148a87cfb186ba220940

      SHA1

      0dea437441ce35c38ce466cc7b7bedef1b256039

      SHA256

      645651c4f8c1e7b5f9733830f79093574acb4222ba6bc74388c174bb8c577b81

      SHA512

      d2a9ff4b0471de6d431b260163a18d2284361ca491338d3092732cd1b9a576f1e222148b570f8a834b9ea0513b9cc5f1deedbff944a4b3e043f6c0cff5675745

      Download Submit

    • memory/2044-20-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-31-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-30-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-29-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-28-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-27-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-26-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-25-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-21-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-19-0x0000025F00B30000-0x0000025F00B31000-memory.dmp

      Filesize

      4KB

      Download