c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0

Analysis

max time kernel
156s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 02:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe
Size

564KB
MD5

68e4832f1071aaca70c3e32fcfba133e
SHA1

32f1a5ec9c6ab86d0c2fd03df78d2597ffd7490d
SHA256

c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0
SHA512

61c398a9566c8c2fe8dc3cbd4945da7ef53e556873511e54ef9b823f1fe97a12d676e028a1faee7912ff1fee0fc60745c8bcafe4df13866bce73512e08373aa6
SSDEEP

12288:AiEPVIq0TcwMi7tBNMLpJVeVvsZWILqY02JwwA1x33GwTuIj+w:AiRq0TcwvypSVvsfLNzJwwAkX

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Za0Fr02eH4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	voiahu.exe

Executes dropped EXE 10 IoCs

pid	Process
1340	Za0Fr02eH4.exe
3256	2eaz.exe
4984	2eaz.exe
4880	2eaz.exe
3560	2eaz.exe
4820	2eaz.exe
4436	2eaz.exe
4620	3eaz.exe
4256	X
4252	voiahu.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4880-147-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4820-155-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/3560-151-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4820-161-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4436-160-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4436-164-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4820-158-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4436-166-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4820-170-0x0000000000400000-0x0000000000407000-memory.dmp	upx
behavioral2/memory/4436-171-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/4880-174-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3560-173-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4436-172-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/3560-175-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4880-176-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4436-180-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral2/memory/3560-181-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral2/memory/4880-182-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4880-201-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4820-202-0x0000000000400000-0x0000000000407000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Za0Fr02eH4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /W"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /S"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /x"	voiahu.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /A"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /p"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /f"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /Z"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /P"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /D"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /M"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /H"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /w"	voiahu.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Za0Fr02eH4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /C"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /I"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /G"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /d"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /y"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /z"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /O"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /X"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /R"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /m"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /N"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /c"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /g"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /s"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /K"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /L"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /v"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /V"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /u"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /T"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /n"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /B"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /l"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /Y"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /U"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /a"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /J"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /i"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /j"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /e"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /o"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /b"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /Q"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /h"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /k"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /t"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /E"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /F"	voiahu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /K"	Za0Fr02eH4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voiahu = "C:\\Users\\Admin\\voiahu.exe /q"	voiahu.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2eaz.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2eaz.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3256 set thread context of 4984	3256	2eaz.exe	80
PID 3256 set thread context of 4880	3256	2eaz.exe	82
PID 3256 set thread context of 3560	3256	2eaz.exe	83
PID 3256 set thread context of 4820	3256	2eaz.exe	84
PID 3256 set thread context of 4436	3256	2eaz.exe	85
PID 4620 set thread context of 2356	4620	3eaz.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	4984	WerFault.exe	80

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
336	tasklist.exe
204	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	Za0Fr02eH4.exe
1340	Za0Fr02eH4.exe
4880	2eaz.exe
4880	2eaz.exe
4620	3eaz.exe
4620	3eaz.exe
4256	X
4256	X
4880	2eaz.exe
4880	2eaz.exe
1340	Za0Fr02eH4.exe
1340	Za0Fr02eH4.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe
4252	voiahu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	3eaz.exe
Token: SeDebugPrivilege	4620	3eaz.exe
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeDebugPrivilege	336	tasklist.exe
Token: SeDebugPrivilege	204	tasklist.exe
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe
1340	Za0Fr02eH4.exe
3256	2eaz.exe
4820	2eaz.exe
4436	2eaz.exe
4252	voiahu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 1340	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	78
PID 4476 wrote to memory of 1340	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	78
PID 4476 wrote to memory of 1340	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	78
PID 4476 wrote to memory of 3256	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	79
PID 4476 wrote to memory of 3256	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	79
PID 4476 wrote to memory of 3256	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	79
PID 3256 wrote to memory of 4984	3256	2eaz.exe	80
PID 3256 wrote to memory of 4984	3256	2eaz.exe	80
PID 3256 wrote to memory of 4984	3256	2eaz.exe	80
PID 3256 wrote to memory of 4984	3256	2eaz.exe	80
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 4880	3256	2eaz.exe	82
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 3560	3256	2eaz.exe	83
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4820	3256	2eaz.exe	84
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 3256 wrote to memory of 4436	3256	2eaz.exe	85
PID 4476 wrote to memory of 4620	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	86
PID 4476 wrote to memory of 4620	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	86
PID 4476 wrote to memory of 4620	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	86
PID 4620 wrote to memory of 4256	4620	3eaz.exe	88
PID 4620 wrote to memory of 4256	4620	3eaz.exe	88
PID 4256 wrote to memory of 2792	4256	X	44
PID 4620 wrote to memory of 2356	4620	3eaz.exe	89
PID 4620 wrote to memory of 2356	4620	3eaz.exe	89
PID 4620 wrote to memory of 2356	4620	3eaz.exe	89
PID 4620 wrote to memory of 2356	4620	3eaz.exe	89
PID 4476 wrote to memory of 4192	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	92
PID 4476 wrote to memory of 4192	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	92
PID 4476 wrote to memory of 4192	4476	c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe	92
PID 1340 wrote to memory of 4252	1340	Za0Fr02eH4.exe	91
PID 1340 wrote to memory of 4252	1340	Za0Fr02eH4.exe	91
PID 1340 wrote to memory of 4252	1340	Za0Fr02eH4.exe	91
PID 1340 wrote to memory of 4356	1340	Za0Fr02eH4.exe	94
PID 1340 wrote to memory of 4356	1340	Za0Fr02eH4.exe	94
PID 1340 wrote to memory of 4356	1340	Za0Fr02eH4.exe	94
PID 4192 wrote to memory of 336	4192	cmd.exe	96
PID 4192 wrote to memory of 336	4192	cmd.exe	96
PID 4192 wrote to memory of 336	4192	cmd.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2792
- C:\Users\Admin\AppData\Local\Temp\c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe
  "C:\Users\Admin\AppData\Local\Temp\c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\Za0Fr02eH4.exe
    C:\Users\Admin\Za0Fr02eH4.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\voiahu.exe
      "C:\Users\Admin\voiahu.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del Za0Fr02eH4.exe
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:204
- - C:\Users\Admin\2eaz.exe
    C:\Users\Admin\2eaz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Users\Admin\2eaz.exe
      "C:\Users\Admin\2eaz.exe"
      4⤵
      Executes dropped EXE
      PID:4984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 80
        5⤵
        Program crash
        
        PID:1072
  - - C:\Users\Admin\2eaz.exe
      "C:\Users\Admin\2eaz.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:4880
  - - C:\Users\Admin\2eaz.exe
      "C:\Users\Admin\2eaz.exe"
      4⤵
      Executes dropped EXE
      PID:3560
  - - C:\Users\Admin\2eaz.exe
      "C:\Users\Admin\2eaz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4820
  - - C:\Users\Admin\2eaz.exe
      "C:\Users\Admin\2eaz.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4436
- - C:\Users\Admin\3eaz.exe
    C:\Users\Admin\3eaz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Users\Admin\AppData\Local\3d215881\X
      *0*bc*18b548*31.193.3.240:53
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del c40fa6858f9baad840232e7d9bad46ad82e8e1b9bed637652cdbb6dd96db8fb0.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4192
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\2eaz.exe

Filesize
184KB

MD5
b5e4ef8f155546bb96b2725ec36f8dd9

SHA1
7e1301b8759c39f37993c7145d233f9fd45fa1c9

SHA256
c5ce89c5116fe9796e3324b2045fc53369e099bf92d22d7303a55ae67d0a5755

SHA512
b6ba29f78fd3ad4895a9aa6d30f46ecabee67d5ff38a3c0dfc5f5dd5bb170ec2bbf47dd963285fcc90097804523ba12fd41418005f7abf3367875ac21f23e904

Download Submit
C:\Users\Admin\3eaz.exe

Filesize
254KB

MD5
0c0be014832905bc4bb981a03f279d6e

SHA1
16e8d3cf157ed3afb5041df2bbe97f4422c5a1dc

SHA256
13b0b4e5adf34babefd24eb5886a2b9a5d0d2e6cce61a77c2cbd501e22d36f48

SHA512
1be55754d1ab77f9ef9c588599428f5754a6cc349471e5f63ca98a5a5d54e40210616937e9f53abe4912b5aa637620b85cb0665e3b60661fd1ca046f7da65060

Download Submit
C:\Users\Admin\3eaz.exe

Filesize
254KB

MD5
0c0be014832905bc4bb981a03f279d6e

SHA1
16e8d3cf157ed3afb5041df2bbe97f4422c5a1dc

SHA256
13b0b4e5adf34babefd24eb5886a2b9a5d0d2e6cce61a77c2cbd501e22d36f48

SHA512
1be55754d1ab77f9ef9c588599428f5754a6cc349471e5f63ca98a5a5d54e40210616937e9f53abe4912b5aa637620b85cb0665e3b60661fd1ca046f7da65060

Download Submit
C:\Users\Admin\AppData\Local\3d215881\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
C:\Users\Admin\AppData\Local\3d215881\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
C:\Users\Admin\Za0Fr02eH4.exe

Filesize
212KB

MD5
c613e1456c877e1487154fbafe1a298e

SHA1
af8c9d76cfb43659ced915b12bba47d0bba11ba0

SHA256
b21afd7848d64eadace47bc6f278f4ec2f89b8a42d9be9f55123b0e2de7320f9

SHA512
a675e9cd0f4ad741ddaacc15b4a119ab862009b1c62a97ac43a760c6ca5c2ea10e8f00928cd89489759aeea3f91a505b842536a5c221bb6a7b2ecf9a33fc3663

Download Submit
C:\Users\Admin\Za0Fr02eH4.exe

Filesize
212KB

MD5
c613e1456c877e1487154fbafe1a298e

SHA1
af8c9d76cfb43659ced915b12bba47d0bba11ba0

SHA256
b21afd7848d64eadace47bc6f278f4ec2f89b8a42d9be9f55123b0e2de7320f9

SHA512
a675e9cd0f4ad741ddaacc15b4a119ab862009b1c62a97ac43a760c6ca5c2ea10e8f00928cd89489759aeea3f91a505b842536a5c221bb6a7b2ecf9a33fc3663

Download Submit
C:\Users\Admin\voiahu.exe

Filesize
212KB

MD5
6416a1bc9dad99ff7d9787e8b8e7d342

SHA1
aca2aa4202e6dac2fd2f720d2b26ec2612cd5c2f

SHA256
85818258bf65f6e5b9a9e324273ba147e1c300d72bac87431a30586d946864be

SHA512
a51ffd3d8dac431027d1e62b30c9f44ec20ea76a580d7b1719ebf72ff003c3050c15bd1e0f03f5ea79d22f852b047708d4583c33b104843f63c09a5526d4dfc1

Download Submit
C:\Users\Admin\voiahu.exe

Filesize
212KB

MD5
6416a1bc9dad99ff7d9787e8b8e7d342

SHA1
aca2aa4202e6dac2fd2f720d2b26ec2612cd5c2f

SHA256
85818258bf65f6e5b9a9e324273ba147e1c300d72bac87431a30586d946864be

SHA512
a51ffd3d8dac431027d1e62b30c9f44ec20ea76a580d7b1719ebf72ff003c3050c15bd1e0f03f5ea79d22f852b047708d4583c33b104843f63c09a5526d4dfc1

Download Submit
memory/3560-173-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3560-175-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3560-181-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3560-151-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4436-171-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-172-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-160-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-180-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4436-164-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4620-191-0x0000000000841000-0x0000000000877000-memory.dmp

Filesize
216KB

Download
memory/4620-190-0x0000000030670000-0x00000000306C6000-memory.dmp

Filesize
344KB

Download
memory/4620-183-0x0000000000841000-0x0000000000877000-memory.dmp

Filesize
216KB

Download
memory/4620-184-0x0000000030670000-0x00000000306C6000-memory.dmp

Filesize
344KB

Download
memory/4620-185-0x0000000000841000-0x0000000000877000-memory.dmp

Filesize
216KB

Download
memory/4820-155-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4820-158-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4820-170-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4820-161-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4820-202-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4880-182-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4880-174-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4880-176-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4880-147-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4880-201-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download