Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 12:42
Static task
static1
Behavioral task
behavioral1
Sample
f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe
Resource
win10v2004-20241007-en
General
-
Target
f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe
-
Size
84KB
-
MD5
dc7b3c0f11fe1f5738b649f9d36782c6
-
SHA1
e2eee284f4e3ac477eadde6b53ccc725b7aacaaa
-
SHA256
8a77240a1437b5c433fd3e79358be8411ffb5422b297641f0a52c0feeb19ef40
-
SHA512
baff6e6adba0e591c91d0bfee1abf78fe69985cd8fa68d9ebff7f8d5a1b1b92f1b32aa6f6677488fd5254137dab89c21ecb67c584fdf3a9f8b67c6358459eb3b
-
SSDEEP
768:sv6nMfqPS4BMSrc8ebdtF5EmpW/p/hxRSH9NxIkL9v/Q6sWTMR2iRw:svgBoZKmpSFhxRSHdL9bsi42iRw
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" huepee.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe -
Executes dropped EXE 1 IoCs
pid Process 2488 huepee.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\huepee = "C:\\Users\\Admin\\huepee.exe" huepee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 244 2684 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language huepee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe 2488 huepee.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2684 f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe 2488 huepee.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2488 2684 f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe 90 PID 2684 wrote to memory of 2488 2684 f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe 90 PID 2684 wrote to memory of 2488 2684 f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe"C:\Users\Admin\AppData\Local\Temp\f72833deb487adb65ad79f0c4d2df51ea753f0206af18e8c72fa1916a066ffc9N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\huepee.exe"C:\Users\Admin\huepee.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 14722⤵
- Program crash
PID:244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2684 -ip 26841⤵PID:3408
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD587e5e67c44a6853a3efeec8371c46b12
SHA18b322150827da6c00cc2688c283f0eb66ae7a2e6
SHA25680f4b0b924d8cd3e9966fafb331893a69caf747eadf1c482edea1446c2632fe2
SHA51276bbab3f00ddb9f9ffab8980bc77f98338de6703ea9afbee352f6023ca3ba3cd52c39ef119119353b7e30c8b7ff6edebfe04cb42d83565eee090c4ee644c2c04