397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
Size

228KB
MD5

6dd4f6fc9408bda3ab46f40236652fc9
SHA1

b814e6375f343c3ed2193a8d1b927ebdc09ced35
SHA256

397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1
SHA512

8558fcd6b8785a803b079be2f2a02739730a7cf64a6da8d6ce88cc73ea89d008f0a015bb4966baff727b2f365f8f71b457b56cabeb0147be7806843aa8f397b0
SSDEEP

6144:hGtFwzWQTi2+OMcppIRW30d+h8wZ2Uf/T11cradKtvr1K/fObT/bGipKgJJeZ4c7:OFwrKOMcppIRW3M+hwUf/Z1craduvr1K

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tiufoul.exe

Executes dropped EXE 1 IoCs

pid	Process
3328	tiufoul.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /s"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /O"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /v"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /n"	tiufoul.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /N"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /f"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /t"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /M"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /B"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /I"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /H"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /u"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /F"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /x"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /m"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /w"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /C"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /b"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /X"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /j"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /G"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /Q"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /T"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /k"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /b"	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /g"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /i"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /y"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /K"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /P"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /R"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /V"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /U"	tiufoul.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /l"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /Z"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /Y"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /o"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /c"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /L"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /E"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /W"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /a"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /J"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /d"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /S"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /p"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /z"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /q"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /D"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /r"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /e"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /h"	tiufoul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiufoul = "C:\\Users\\Admin\\tiufoul.exe /A"	tiufoul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe
3328	tiufoul.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
3328	tiufoul.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3328	2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe	87
PID 2160 wrote to memory of 3328	2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe	87
PID 2160 wrote to memory of 3328	2160	397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe	87

C:\Users\Admin\AppData\Local\Temp\397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe
"C:\Users\Admin\AppData\Local\Temp\397bf70b55224927505a71070669dad2190d4a897e0d9852c769927d2b77ffd1.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\tiufoul.exe
  "C:\Users\Admin\tiufoul.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tiufoul.exe

Filesize
228KB

MD5
48678685ffb8c94005c16152e367dbe2

SHA1
11381a43be1eec2a8e360c042f8fb42a9cbb78b8

SHA256
34488e3eef3ed76662d0f0687a60e0dd7e2a2ee49160e9877cf21c2ed10fef67

SHA512
ee38bddad13dcbf77388fded6a60db43f37f06aad91ee0c10eece4879b8fc32b6b4b23a64145e8efa352ccdfc17cf07bcc5a82e29bdef7d693346d06150c5086

Download Submit
C:\Users\Admin\tiufoul.exe

Filesize
228KB

MD5
48678685ffb8c94005c16152e367dbe2

SHA1
11381a43be1eec2a8e360c042f8fb42a9cbb78b8

SHA256
34488e3eef3ed76662d0f0687a60e0dd7e2a2ee49160e9877cf21c2ed10fef67

SHA512
ee38bddad13dcbf77388fded6a60db43f37f06aad91ee0c10eece4879b8fc32b6b4b23a64145e8efa352ccdfc17cf07bcc5a82e29bdef7d693346d06150c5086

Download Submit