6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
Size

80KB
MD5

627dd49873ed6be09a82af987a00cbb0
SHA1

bbcf3805374046a6d14c62e1b27056ab950a02f9
SHA256

6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e
SHA512

893336c000dc7ae0e0d35dc91aea68b901cdf5d06c7d21ab728e0e6017855bac6397c22a47c68f6d4bd0c7e8713661a065df9f7ca4afbcf6df4f305ed865cfb2
SSDEEP

1536:TW7wLCvKGlTGQxguIxZTATocTzFJ0T72Vpkc:aoCvrKxZ8BTzFJ0T72wc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vuifob.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	vuifob.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /c"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /s"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /l"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /p"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /q"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /a"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /k"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /m"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /i"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /e"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /x"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /w"	vuifob.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /d"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /b"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /h"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /u"	vuifob.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /v"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /g"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /y"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /t"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /f"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /i"	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /n"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /o"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /j"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /r"	vuifob.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuifob = "C:\\Users\\Admin\\vuifob.exe /z"	vuifob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe
1636	vuifob.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
1636	vuifob.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1636	1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe	27
PID 1988 wrote to memory of 1636	1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe	27
PID 1988 wrote to memory of 1636	1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe	27
PID 1988 wrote to memory of 1636	1988	6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe	27

C:\Users\Admin\AppData\Local\Temp\6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe
"C:\Users\Admin\AppData\Local\Temp\6a07a50a8246f502cc6130118fff6d79904e0bf4da52908cf24163e438c9133e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\vuifob.exe
  "C:\Users\Admin\vuifob.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vuifob.exe

Filesize
80KB

MD5
10d05f59d97189097632518718c3060a

SHA1
adc8b1c777a50087074b49e6f1d9ffef1b03df92

SHA256
f68d78ec6bbead796e0f80f299112ec5e2a4a4de419cc2d3832b5f9b15acefec

SHA512
7dc1fd0d5448d559b030a8a14ff01fb3aef6451e8c52781b0aa65674543761e3d79669d400812a376ef9a6da8c35b2f882842b969589005079eb7d51a49bda43

Download Submit
C:\Users\Admin\vuifob.exe

Filesize
80KB

MD5
10d05f59d97189097632518718c3060a

SHA1
adc8b1c777a50087074b49e6f1d9ffef1b03df92

SHA256
f68d78ec6bbead796e0f80f299112ec5e2a4a4de419cc2d3832b5f9b15acefec

SHA512
7dc1fd0d5448d559b030a8a14ff01fb3aef6451e8c52781b0aa65674543761e3d79669d400812a376ef9a6da8c35b2f882842b969589005079eb7d51a49bda43

Download Submit
\Users\Admin\vuifob.exe

Filesize
80KB

MD5
10d05f59d97189097632518718c3060a

SHA1
adc8b1c777a50087074b49e6f1d9ffef1b03df92

SHA256
f68d78ec6bbead796e0f80f299112ec5e2a4a4de419cc2d3832b5f9b15acefec

SHA512
7dc1fd0d5448d559b030a8a14ff01fb3aef6451e8c52781b0aa65674543761e3d79669d400812a376ef9a6da8c35b2f882842b969589005079eb7d51a49bda43

Download Submit
\Users\Admin\vuifob.exe

Filesize
80KB

MD5
10d05f59d97189097632518718c3060a

SHA1
adc8b1c777a50087074b49e6f1d9ffef1b03df92

SHA256
f68d78ec6bbead796e0f80f299112ec5e2a4a4de419cc2d3832b5f9b15acefec

SHA512
7dc1fd0d5448d559b030a8a14ff01fb3aef6451e8c52781b0aa65674543761e3d79669d400812a376ef9a6da8c35b2f882842b969589005079eb7d51a49bda43

Download Submit
memory/1988-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download