f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939

Analysis

max time kernel
148s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 06:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe
Size

72KB
MD5

7179396692c4becba527c3b229cd50c0
SHA1

de0aaed8ac4ca1ccad0be118c13fed3797e0dce0
SHA256

f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939
SHA512

b0054771b21fbdc2f5d2f072f3d784334a49b16e8c4e1515e3d02c631bb8a375a4c6eaac45ab5f7b5ad2a6bab16cb6477a9828c01ccb8906843e45e56c94abf5
SSDEEP

768:/EsEiQXA5RbtFmY7qDoGTNL/w/KkXh7pdelKPM5u4VqrMZWXAKffTeffUW7EgZAA:/tjFmkqDFNLIKc0u4VqrMZWXABAdiP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	puogoo.exe

Executes dropped EXE 1 IoCs

pid	Process
1168	puogoo.exe

Loads dropped DLL 2 IoCs

pid	Process
1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe
1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\puogoo = "C:\\Users\\Admin\\puogoo.exe"	puogoo.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	puogoo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe
1168	puogoo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe
1168	puogoo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1168	1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe	27
PID 1516 wrote to memory of 1168	1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe	27
PID 1516 wrote to memory of 1168	1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe	27
PID 1516 wrote to memory of 1168	1516	f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe	27
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26
PID 1168 wrote to memory of 1516	1168	puogoo.exe	26

C:\Users\Admin\AppData\Local\Temp\f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe
"C:\Users\Admin\AppData\Local\Temp\f9e7455f26cbc648d14a2f0e56ce2705857105cfda15c668dba154f140022939.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\puogoo.exe
  "C:\Users\Admin\puogoo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\puogoo.exe

Filesize
72KB

MD5
e6f74d4b03e8de41404030f2e3a100e9

SHA1
8c18a3d1dea875e3ae2da074e3e04f7119bb5f34

SHA256
3a1fa9750e590b9a3eb4191ff23a361abb0fb0574d21a0942c00b3d0b3f552a0

SHA512
0ba98dccced411d716d1fd63748d33742c291544ddae5bdc2e8499598e0153b73b1c2305e8db52126c3bc14e7dba6db00568cfd45e55a47f2393a3133ade5817

Download Submit
C:\Users\Admin\puogoo.exe

Filesize
72KB

MD5
e6f74d4b03e8de41404030f2e3a100e9

SHA1
8c18a3d1dea875e3ae2da074e3e04f7119bb5f34

SHA256
3a1fa9750e590b9a3eb4191ff23a361abb0fb0574d21a0942c00b3d0b3f552a0

SHA512
0ba98dccced411d716d1fd63748d33742c291544ddae5bdc2e8499598e0153b73b1c2305e8db52126c3bc14e7dba6db00568cfd45e55a47f2393a3133ade5817

Download Submit
\Users\Admin\puogoo.exe

Filesize
72KB

MD5
e6f74d4b03e8de41404030f2e3a100e9

SHA1
8c18a3d1dea875e3ae2da074e3e04f7119bb5f34

SHA256
3a1fa9750e590b9a3eb4191ff23a361abb0fb0574d21a0942c00b3d0b3f552a0

SHA512
0ba98dccced411d716d1fd63748d33742c291544ddae5bdc2e8499598e0153b73b1c2305e8db52126c3bc14e7dba6db00568cfd45e55a47f2393a3133ade5817

Download Submit
\Users\Admin\puogoo.exe

Filesize
72KB

MD5
e6f74d4b03e8de41404030f2e3a100e9

SHA1
8c18a3d1dea875e3ae2da074e3e04f7119bb5f34

SHA256
3a1fa9750e590b9a3eb4191ff23a361abb0fb0574d21a0942c00b3d0b3f552a0

SHA512
0ba98dccced411d716d1fd63748d33742c291544ddae5bdc2e8499598e0153b73b1c2305e8db52126c3bc14e7dba6db00568cfd45e55a47f2393a3133ade5817

Download Submit
memory/1516-56-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download