Analysis Overview
SHA256
29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3
Threat Level: Known bad
The file 29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 19:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\juevee.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\juevee.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\juevee = "C:\\Users\\Admin\\juevee.exe" | C:\Users\Admin\juevee.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\juevee.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\juevee.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe
"C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe"
C:\Users\Admin\juevee.exe
"C:\Users\Admin\juevee.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.thepicturehut.net | udp |
Files
C:\Users\Admin\juevee.exe
| MD5 | 7425bc397f6df21fc88198d8caecf7a9 |
| SHA1 | a6a512d563bbd0c3de358adddc4c457b4d682d93 |
| SHA256 | 88e73eaea2451d88e143369708324d4f99bb1c409da831285682a0bc9b25a23a |
| SHA512 | 9f35b31f56ae19288b8a242255defcf00be9299750521da574d7727cbbd4dccad9c2c144758429dd4d66539710965e7596a20f26387bd1bc950442aad1f1acfb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:58
Reported
2024-11-13 19:00
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\heiihu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\heiihu.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\heiihu = "C:\\Users\\Admin\\heiihu.exe" | C:\Users\Admin\heiihu.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\heiihu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\heiihu.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe
"C:\Users\Admin\AppData\Local\Temp\29f39e6aa97ba01ff59a1359f9d6645f96bed6f6dc84d90fec449ee57b3ad5c3.exe"
C:\Users\Admin\heiihu.exe
"C:\Users\Admin\heiihu.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns3.thepicturehut.net | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\heiihu.exe
| MD5 | 0cf7f2123334c3747258ebe87047c214 |
| SHA1 | 85f1a8f169eac1db97a752128fe66f0ec14d43b4 |
| SHA256 | d4d0c973860d6fd6dc688d1064e9041f98c535cbb303ae5241add06233716a35 |
| SHA512 | 5e358cf929b8e8b9e89317d25acb877fe07f5447596c3fa3fcebb11f7c4f433b9ab2d38a5a7a17f30f603903c898ecdde7832751116889cd39f83686379d0fcd |