Analysis
-
max time kernel
55s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 10:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
hairtist.exe
Resource
win7-20240221-en
windows7-x64
10 signatures
150 seconds
General
-
Target
hairtist.exe
-
Size
4.8MB
-
MD5
8bdb368fe2ccdd70d3f0f4fe1b69b080
-
SHA1
ea6f62f0aa53c921d579e1c50fcf2f68e2b2dbf1
-
SHA256
91b861cdf4a5f60b3d40b48e9357fc8e586f203022d22345764be5035e2fe724
-
SHA512
0ba49b2cc9f5615eadb18fdbcb319bc4191b9e56817814dd8ec279d7c7eb592e7f42e6054f4eed6a09763bbd74df802188fa2a84d9a1542b1df233de5c511cd6
-
SSDEEP
98304:3y3Raqqrq5TliunkEY4W4GuY2j3TrVkomgsCuf9R624jTqekgjyVKRj1h:ovllFkE5VlTPKpgsCuf16qe3xb
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
hairtist.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ hairtist.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
hairtist.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion hairtist.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion hairtist.exe -
Processes:
hairtist.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hairtist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
hairtist.exepid process 3564 hairtist.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3048 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
hairtist.exepid process 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe 3564 hairtist.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
hairtist.exepid process 3564 hairtist.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
hairtist.execmd.execmd.execmd.exedescription pid process target process PID 3564 wrote to memory of 3584 3564 hairtist.exe cmd.exe PID 3564 wrote to memory of 3584 3564 hairtist.exe cmd.exe PID 3584 wrote to memory of 2208 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 2208 3584 cmd.exe certutil.exe PID 3584 wrote to memory of 4592 3584 cmd.exe find.exe PID 3584 wrote to memory of 4592 3584 cmd.exe find.exe PID 3584 wrote to memory of 3292 3584 cmd.exe find.exe PID 3584 wrote to memory of 3292 3584 cmd.exe find.exe PID 3564 wrote to memory of 3352 3564 hairtist.exe cmd.exe PID 3564 wrote to memory of 3352 3564 hairtist.exe cmd.exe PID 3352 wrote to memory of 4088 3352 cmd.exe cmd.exe PID 3352 wrote to memory of 4088 3352 cmd.exe cmd.exe PID 4088 wrote to memory of 3048 4088 cmd.exe timeout.exe PID 4088 wrote to memory of 3048 4088 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hairtist.exe"C:\Users\Admin\AppData\Local\Temp\hairtist.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hairtist.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\hairtist.exe" MD53⤵PID:2208
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:4592
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"2⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Couldn't resolve host name && timeout /t 5"3⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3564-0-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-1-0x00007FFA847F0000-0x00007FFA849E5000-memory.dmpFilesize
2.0MB
-
memory/3564-2-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-3-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-4-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-6-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-7-0x0000000140000000-0x0000000140C11000-memory.dmpFilesize
12.1MB
-
memory/3564-8-0x00007FFA847F0000-0x00007FFA849E5000-memory.dmpFilesize
2.0MB