Analysis
-
max time kernel
55s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 10:14
General
-
Target
hairtist.exe
-
Size
4.8MB
-
MD5
8bdb368fe2ccdd70d3f0f4fe1b69b080
-
SHA1
ea6f62f0aa53c921d579e1c50fcf2f68e2b2dbf1
-
SHA256
91b861cdf4a5f60b3d40b48e9357fc8e586f203022d22345764be5035e2fe724
-
SHA512
0ba49b2cc9f5615eadb18fdbcb319bc4191b9e56817814dd8ec279d7c7eb592e7f42e6054f4eed6a09763bbd74df802188fa2a84d9a1542b1df233de5c511cd6
-
SSDEEP
98304:3y3Raqqrq5TliunkEY4W4GuY2j3TrVkomgsCuf9R624jTqekgjyVKRj1h:ovllFkE5VlTPKpgsCuf16qe3xb
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hairtist.exe"C:\Users\Admin\AppData\Local\Temp\hairtist.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hairtist.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hairtist.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3564-0-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-1-0x00007FFA847F0000-0x00007FFA849E5000-memory.dmpFilesize
2.0MB
-
memory/3564-2-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-3-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-4-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-6-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-7-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-8-0x00007FFA847F0000-0x00007FFA849E5000-memory.dmpFilesize
2.0MB