2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe
Size

77KB
MD5

17665658ccc54d4145afc324e041a427
SHA1

407297f11604fef0b32aa30dddf64c2ab0d51484
SHA256

2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748
SHA512

216d133734a06cb70a3aafb424359cfd80d936bc5444547c1dbd9ac03152693128f9126b6cc406192e8354a34e8fc1176de3918b20a498066d10d6eb8f6d4c3a
SSDEEP

1536:tWADAwtzns15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWY:tWADAwtzns15Bx8pEttgdO/mXpgWXOJe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	caoum.exe

Executes dropped EXE 1 IoCs

pid	Process
812	caoum.exe

Loads dropped DLL 2 IoCs

pid	Process
1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe
1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	caoum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\caoum = "C:\\Users\\Admin\\caoum.exe"	caoum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe
812	caoum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe
812	caoum.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 812	1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe	27
PID 1196 wrote to memory of 812	1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe	27
PID 1196 wrote to memory of 812	1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe	27
PID 1196 wrote to memory of 812	1196	2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe	27
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26
PID 812 wrote to memory of 1196	812	caoum.exe	26

C:\Users\Admin\AppData\Local\Temp\2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe
"C:\Users\Admin\AppData\Local\Temp\2eb5cf1f5dd8acea648d86d54b6325a4b3b146d980722f0e5b6266cf7bcd1748.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\caoum.exe
  "C:\Users\Admin\caoum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\caoum.exe

Filesize
77KB

MD5
29767b13c26323be4774c8477c319a86

SHA1
55ec3a99162b38e6833f61d1358ba4f36e1339cb

SHA256
dca88cca719a7716bbf72723169199416a430dc670adeee1d7014f1784804b24

SHA512
39b0cc5eda350ed834b98792a2d91ddef1c3b470ef09b6b43745d149d78001b115ca6408c0b24e4754156bbbb9fbc96d263789f1d4ea3ad8117e1f683e3902f6

Download Submit
C:\Users\Admin\caoum.exe

Filesize
77KB

MD5
29767b13c26323be4774c8477c319a86

SHA1
55ec3a99162b38e6833f61d1358ba4f36e1339cb

SHA256
dca88cca719a7716bbf72723169199416a430dc670adeee1d7014f1784804b24

SHA512
39b0cc5eda350ed834b98792a2d91ddef1c3b470ef09b6b43745d149d78001b115ca6408c0b24e4754156bbbb9fbc96d263789f1d4ea3ad8117e1f683e3902f6

Download Submit
\Users\Admin\caoum.exe

Filesize
77KB

MD5
29767b13c26323be4774c8477c319a86

SHA1
55ec3a99162b38e6833f61d1358ba4f36e1339cb

SHA256
dca88cca719a7716bbf72723169199416a430dc670adeee1d7014f1784804b24

SHA512
39b0cc5eda350ed834b98792a2d91ddef1c3b470ef09b6b43745d149d78001b115ca6408c0b24e4754156bbbb9fbc96d263789f1d4ea3ad8117e1f683e3902f6

Download Submit
\Users\Admin\caoum.exe

Filesize
77KB

MD5
29767b13c26323be4774c8477c319a86

SHA1
55ec3a99162b38e6833f61d1358ba4f36e1339cb

SHA256
dca88cca719a7716bbf72723169199416a430dc670adeee1d7014f1784804b24

SHA512
39b0cc5eda350ed834b98792a2d91ddef1c3b470ef09b6b43745d149d78001b115ca6408c0b24e4754156bbbb9fbc96d263789f1d4ea3ad8117e1f683e3902f6

Download Submit
memory/812-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/812-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-57-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1196-65-0x0000000003700000-0x0000000003718000-memory.dmp

Filesize
96KB

Download
memory/1196-66-0x0000000003700000-0x0000000003718000-memory.dmp

Filesize
96KB

Download
memory/1196-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1196-70-0x0000000003700000-0x0000000003718000-memory.dmp

Filesize
96KB

Download