Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe
Resource
win10v2004-20220901-en
General
-
Target
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe
-
Size
260KB
-
MD5
4c3562c2a374248c5911903389304a30
-
SHA1
e0c6d539c710a2e74d0838877008db83a6b82884
-
SHA256
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5
-
SHA512
7f4297e4c1ae339ff7d4b86a5caf135248a0754c03e48c13e35164e030f8839718ebf859bb434f9963e930a1674bcb58baf76b0ebc99092c1c13378b46f38008
-
SSDEEP
6144:WdbtGgTSrMaIl/jcLijfHFEHWzXvjT85R:WrTSrMaIqLlI/H85R
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
veqov.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" veqov.exe -
Executes dropped EXE 1 IoCs
Processes:
veqov.exepid process 4856 veqov.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe -
Adds Run key to start application 2 TTPs 53 IoCs
Processes:
veqov.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /L" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /C" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /s" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /T" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /n" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /t" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /O" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /o" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /j" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /U" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /u" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /a" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /l" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /S" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /h" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /Z" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /x" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /r" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /p" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /W" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /Y" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /B" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /P" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /F" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /M" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /Q" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /D" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /m" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /R" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /e" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /I" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /q" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /w" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /k" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /y" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /z" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /i" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /b" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /V" veqov.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /G" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /f" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /X" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /g" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /d" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /K" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /E" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /v" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /A" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /N" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /J" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /H" veqov.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veqov = "C:\\Users\\Admin\\veqov.exe /c" veqov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
veqov.exepid process 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe 4856 veqov.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exeveqov.exepid process 4580 227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe 4856 veqov.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exedescription pid process target process PID 4580 wrote to memory of 4856 4580 227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe veqov.exe PID 4580 wrote to memory of 4856 4580 227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe veqov.exe PID 4580 wrote to memory of 4856 4580 227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe veqov.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe"C:\Users\Admin\AppData\Local\Temp\227ad5a386d2e09e2d24d5bde2025eca7d2eaa232540da3a26829149aeb82ce5.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\veqov.exe"C:\Users\Admin\veqov.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\veqov.exeFilesize
260KB
MD5dfe87cad8b4575d2c0cc8b70f89ad7b9
SHA15ea84d1e500def50d22bffc1b272b3b9bb8d6c5c
SHA25679be62cac9920682d034d226a3be9e89c5e1d742d05e09de3bc7f2caae9a7faa
SHA512732989e2bb719f4472f4e210426d4ef21f7de4f93c8b813487a0416cb851e7425920063418468c1e8e9a86054f11c9340062e7636ef49226848cb83cb4281d33
-
C:\Users\Admin\veqov.exeFilesize
260KB
MD5dfe87cad8b4575d2c0cc8b70f89ad7b9
SHA15ea84d1e500def50d22bffc1b272b3b9bb8d6c5c
SHA25679be62cac9920682d034d226a3be9e89c5e1d742d05e09de3bc7f2caae9a7faa
SHA512732989e2bb719f4472f4e210426d4ef21f7de4f93c8b813487a0416cb851e7425920063418468c1e8e9a86054f11c9340062e7636ef49226848cb83cb4281d33
-
memory/4856-134-0x0000000000000000-mapping.dmp