568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4

General

Target

568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe
Size

216KB
MD5

3115f6112c4f835d82a3c843ec894746
SHA1

f1eb8edbc1322529c6dc628b6075c020eca0d7cb
SHA256

568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4
SHA512

53dc2526f02fb87440e666b1d9193639236ebe295499295815ad3bbf3c4f42bf4e6b296f6858d3b464d42a4288d5294ea834eeb1f8de8b6e9e58dfedcae9ec15
SSDEEP

6144:tPhHct9RlyTcbMbgkGq/DrtRo/4COcOu2k5k6WRv7KXqyjEwGE46JxFqDs/e7wMe:FhHc7R/5pjEwGE46JxB

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	heekip.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe

Executes dropped EXE 1 IoCs

pid	Process
3816	heekip.exe

Adds Run key to start application 2 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /x"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /f"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /o"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /p"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /v"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /b"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /c"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /d"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /a"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /r"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /i"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /n"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /z"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /m"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /u"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /j"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /w"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /h"	heekip.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heekip = "C:\\Users\\Admin\\heekip.exe /p"	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe
1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 3816	1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe	99
PID 1100 wrote to memory of 3816	1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe	99
PID 1100 wrote to memory of 3816	1100	568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe	99

C:\Users\Admin\AppData\Local\Temp\568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe
"C:\Users\Admin\AppData\Local\Temp\568819faab81a2fe93b7334a510b2af4e92bcbc508b023e663c0fc3eddcb69c4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\heekip.exe
  "C:\Users\Admin\heekip.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4420 --field-trial-handle=2256,i,5035714022000286426,16259316383734940314,262144 --variations-seed-version /prefetch:8
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\heekip.exe

Filesize
216KB

MD5
3876e1b923b576fb2e866270586964dc

SHA1
ca7a0bc571543ef50b365d6040e47651f0a29220

SHA256
a6becd9b05db79818b89d951d1b19117771ed44f32817da1c1034af8d02545ab

SHA512
7035243989b645309295da1d287a6e9773d0176edce57352197059b350af738c16d1ead303f536b02bd2be1403d461424f4b4d1da404198b01fe2dc464844299

Download Submit
memory/1100-2-0x0000000074A00000-0x0000000074A19000-memory.dmp

Filesize
100KB

Download
memory/3816-62-0x00000000735F0000-0x0000000073609000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads