29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 01:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
Size

100KB
MD5

997e1b7f76b7ecbd670b510ebee4dea5
SHA1

1066f8883539fb8c068117faf037d57071dafced
SHA256

29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4
SHA512

7e0b1a14cdef05607b3ab2e66b6fc8c47bb291e162bd7b9326343235a620b8be4e4e6be2b61382cd73a74ce26d13199587ce3ad1e4bb918d150360ff50f106ce
SSDEEP

1536:Q3S5c/79p4BNRXAEwqScgDz0Bg2PDXJRde/S9FMYVwt+QaMxS+XjLlm:AL4zDfDXJVa+sS+3s

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	souoti.exe

Executes dropped EXE 1 IoCs

pid	Process
960	souoti.exe

Loads dropped DLL 2 IoCs

pid	Process
1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /f"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /e"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /s"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /i"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /n"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /z"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /y"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /v"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /j"	souoti.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /l"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /x"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /c"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /w"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /g"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /m"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /k"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /r"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /p"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /v"	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /a"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /q"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /u"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /h"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /o"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /d"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /b"	souoti.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souoti = "C:\\Users\\Admin\\souoti.exe /t"	souoti.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe
960	souoti.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
960	souoti.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 960	1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe	28
PID 1848 wrote to memory of 960	1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe	28
PID 1848 wrote to memory of 960	1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe	28
PID 1848 wrote to memory of 960	1848	29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe	28

C:\Users\Admin\AppData\Local\Temp\29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe
"C:\Users\Admin\AppData\Local\Temp\29de3cddc044be07419d6916d02d6dbe8e1db1454cd9e48435f09159569aa2c4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\souoti.exe
  "C:\Users\Admin\souoti.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\souoti.exe

Filesize
100KB

MD5
811e77cdebf51668f52525bedf039349

SHA1
5c2da577b5b05dd21c61e4a62365dc0bb70491e5

SHA256
c63ec3dc6f30f73053cf07e4d579f5a5e3cdf4c659781945015fb31987d5619d

SHA512
f86e043aae006bb0ca9c35df9404c2d7366813da859e470dd7c8cd3326045cba97cd2efe148089d95f2cd022dbf88e46e881113595a18c9919a7d754e0a49cd7

Download Submit
C:\Users\Admin\souoti.exe

Filesize
100KB

MD5
811e77cdebf51668f52525bedf039349

SHA1
5c2da577b5b05dd21c61e4a62365dc0bb70491e5

SHA256
c63ec3dc6f30f73053cf07e4d579f5a5e3cdf4c659781945015fb31987d5619d

SHA512
f86e043aae006bb0ca9c35df9404c2d7366813da859e470dd7c8cd3326045cba97cd2efe148089d95f2cd022dbf88e46e881113595a18c9919a7d754e0a49cd7

Download Submit
\Users\Admin\souoti.exe

Filesize
100KB

MD5
811e77cdebf51668f52525bedf039349

SHA1
5c2da577b5b05dd21c61e4a62365dc0bb70491e5

SHA256
c63ec3dc6f30f73053cf07e4d579f5a5e3cdf4c659781945015fb31987d5619d

SHA512
f86e043aae006bb0ca9c35df9404c2d7366813da859e470dd7c8cd3326045cba97cd2efe148089d95f2cd022dbf88e46e881113595a18c9919a7d754e0a49cd7

Download Submit
\Users\Admin\souoti.exe

Filesize
100KB

MD5
811e77cdebf51668f52525bedf039349

SHA1
5c2da577b5b05dd21c61e4a62365dc0bb70491e5

SHA256
c63ec3dc6f30f73053cf07e4d579f5a5e3cdf4c659781945015fb31987d5619d

SHA512
f86e043aae006bb0ca9c35df9404c2d7366813da859e470dd7c8cd3326045cba97cd2efe148089d95f2cd022dbf88e46e881113595a18c9919a7d754e0a49cd7

Download Submit
memory/1848-56-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download