a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d

Analysis

max time kernel
153s
max time network
60s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
Size

152KB
MD5

492f33f6ea403962a69837000859646a
SHA1

0f84f9ebb924e946353b1151b35258ccfbc83dd5
SHA256

a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d
SHA512

77e8d24e3872c04bce23349ee5701d59548ac5d11bc58d52c7e34aa5d12caf561ea65169d86101141cf8fc6c89439e0008b9ac208a10307cdd30284b450269b4
SSDEEP

3072:L32IpK9xKA9w2p4QZisLaazNiIIkyyqY4oQZiEZt:L39pKxY+1isuazgfkl/WZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	caiyoa.exe

Executes dropped EXE 1 IoCs

pid	Process
944	caiyoa.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /M"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /v"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /m"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /g"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /T"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /f"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /o"	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /J"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /q"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /E"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /o"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /F"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /B"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /G"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /D"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /Q"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /n"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /Y"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /b"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /a"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /U"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /P"	caiyoa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /R"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /L"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /V"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /C"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /H"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /d"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /y"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /t"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /u"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /s"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /i"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /S"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /N"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /l"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /h"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /Z"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /w"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /I"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /r"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /e"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /A"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /k"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /z"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /j"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /p"	caiyoa.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /O"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /c"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /K"	caiyoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\caiyoa = "C:\\Users\\Admin\\caiyoa.exe /X"	caiyoa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe
944	caiyoa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
944	caiyoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 944	1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe	28
PID 1988 wrote to memory of 944	1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe	28
PID 1988 wrote to memory of 944	1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe	28
PID 1988 wrote to memory of 944	1988	a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe	28

C:\Users\Admin\AppData\Local\Temp\a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe
"C:\Users\Admin\AppData\Local\Temp\a6456252a3bf90aa424e03324f88a1d7916584336f9ac7812a21631e99fb8e3d.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\caiyoa.exe
  "C:\Users\Admin\caiyoa.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\caiyoa.exe

Filesize
152KB

MD5
23802bb5d93e9b2668dbc289c1c32868

SHA1
8643131e6eda41b888ddbecdfa896c71bf59db45

SHA256
ec6451aad717a02744e9ae7a21147731076a0f229ba9ba0a8d37b4a96548a15b

SHA512
b7432b23761a2eb9060c4bd7b57098fdd803126a7f43d8942c133bf7d6cb69b3016f3ca8b4fe14486455701cffd3647e62ee6e159b254da24038ac39f0843f28

Download Submit
C:\Users\Admin\caiyoa.exe

Filesize
152KB

MD5
23802bb5d93e9b2668dbc289c1c32868

SHA1
8643131e6eda41b888ddbecdfa896c71bf59db45

SHA256
ec6451aad717a02744e9ae7a21147731076a0f229ba9ba0a8d37b4a96548a15b

SHA512
b7432b23761a2eb9060c4bd7b57098fdd803126a7f43d8942c133bf7d6cb69b3016f3ca8b4fe14486455701cffd3647e62ee6e159b254da24038ac39f0843f28

Download Submit
\Users\Admin\caiyoa.exe

Filesize
152KB

MD5
23802bb5d93e9b2668dbc289c1c32868

SHA1
8643131e6eda41b888ddbecdfa896c71bf59db45

SHA256
ec6451aad717a02744e9ae7a21147731076a0f229ba9ba0a8d37b4a96548a15b

SHA512
b7432b23761a2eb9060c4bd7b57098fdd803126a7f43d8942c133bf7d6cb69b3016f3ca8b4fe14486455701cffd3647e62ee6e159b254da24038ac39f0843f28

Download Submit
\Users\Admin\caiyoa.exe

Filesize
152KB

MD5
23802bb5d93e9b2668dbc289c1c32868

SHA1
8643131e6eda41b888ddbecdfa896c71bf59db45

SHA256
ec6451aad717a02744e9ae7a21147731076a0f229ba9ba0a8d37b4a96548a15b

SHA512
b7432b23761a2eb9060c4bd7b57098fdd803126a7f43d8942c133bf7d6cb69b3016f3ca8b4fe14486455701cffd3647e62ee6e159b254da24038ac39f0843f28

Download Submit
memory/1988-56-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download