73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe

Analysis

max time kernel
151s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
Size

156KB
MD5

67b9e5cc88def4a5fe8969dc2e57c760
SHA1

647614d75cfc68e398765dc0e079b6f09158159c
SHA256

73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe
SHA512

7b6418764d271b129177799970637cea7c4f6d3355521e5732361c25a82a0edc546c184edd2fdc25b322b6315fb2fc98aac5a1f5a189d097a8b0e9c7212aa778
SSDEEP

1536:wCkumpuY0UBU8gRDGHPOGMmUbaxGAka+t/K9rCGaV9mw7Jqx8M+dzAb2QgRVt:UpuY0ya4UbaxqkCGaVD7JqfKAbHot

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	waokaiw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe

Executes dropped EXE 1 IoCs

pid	Process
4456	waokaiw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /G"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /j"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /n"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /A"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /d"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /P"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /W"	waokaiw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /O"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /X"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /m"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /C"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /E"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /v"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /s"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /B"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /S"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /N"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /I"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /M"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /f"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /T"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /q"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /H"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /Y"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /u"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /R"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /x"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /e"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /J"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /Z"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /p"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /z"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /h"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /b"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /c"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /f"	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /o"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /Q"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /a"	waokaiw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /U"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /F"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /y"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /t"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /g"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /r"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /w"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /V"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /l"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /k"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /L"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /i"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /K"	waokaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\waokaiw = "C:\\Users\\Admin\\waokaiw.exe /D"	waokaiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe
4456	waokaiw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
4456	waokaiw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4456	1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe	83
PID 1776 wrote to memory of 4456	1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe	83
PID 1776 wrote to memory of 4456	1776	73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe	83

C:\Users\Admin\AppData\Local\Temp\73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe
"C:\Users\Admin\AppData\Local\Temp\73043e50ea3214c7efef0d58cfdace6a80fc4e2ef604201afb00fa1078c8b1fe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\waokaiw.exe
  "C:\Users\Admin\waokaiw.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\waokaiw.exe

Filesize
156KB

MD5
e76f09d21e21277876f5ce66ed0a55eb

SHA1
87f9156b703c50668a91114fb252d226fb8e0fd4

SHA256
767dfc4dee4e24179a110dcb32ced5022ff9c829a4cb1e17695a6ddeb563a20a

SHA512
665951e853b1ed3895230183afaeb8dc2f3804043ba99c5265f9b4f8acb31dc49b0d7646ce57fdf774af588194ef51c69f6f6ebf42a6f18e13a5bf783a421275

Download Submit
C:\Users\Admin\waokaiw.exe

Filesize
156KB

MD5
e76f09d21e21277876f5ce66ed0a55eb

SHA1
87f9156b703c50668a91114fb252d226fb8e0fd4

SHA256
767dfc4dee4e24179a110dcb32ced5022ff9c829a4cb1e17695a6ddeb563a20a

SHA512
665951e853b1ed3895230183afaeb8dc2f3804043ba99c5265f9b4f8acb31dc49b0d7646ce57fdf774af588194ef51c69f6f6ebf42a6f18e13a5bf783a421275

Download Submit