Analysis
-
max time kernel
167s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe
-
Size
248KB
-
MD5
470262381248382f217751e76c75e090
-
SHA1
90110587e09f603d8fbd1608d9129a2cbe5559f9
-
SHA256
45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f
-
SHA512
2cd9fc979790535680ce1aa77547d4f28d6798c761d0725dab129ef33c56ccb5c2a0101090e023e054c2bc2801a53c4d2cc1ab6a4fc8b192347f43a96aaf7886
-
SSDEEP
6144:kD0qA6Y0d/RCH3erL/sLAsLPfc/UDgKJ1s4EWqZA7Q/DxoI3sDP4QtNINHKbhFJc:DqAh0d/RCHOrL/sLAsLP9+AKtF3sDwnG
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" toozua.exe -
Executes dropped EXE 1 IoCs
pid Process 1356 toozua.exe -
Loads dropped DLL 2 IoCs
pid Process 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /S" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /h" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /K" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /R" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /I" toozua.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /L" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /T" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /l" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /O" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /X" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /w" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /A" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /z" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /U" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /i" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /s" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /J" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /P" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /G" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /o" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /C" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /x" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /c" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /d" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /g" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /t" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /N" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /H" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /u" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /M" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /D" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /E" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /q" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /Z" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /p" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /j" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /r" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /W" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /Y" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /a" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /e" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /n" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /F" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /V" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /B" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /m" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /f" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /v" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /Q" toozua.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\toozua = "C:\\Users\\Admin\\toozua.exe /b" toozua.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe 1356 toozua.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 1356 toozua.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 836 wrote to memory of 1356 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 27 PID 836 wrote to memory of 1356 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 27 PID 836 wrote to memory of 1356 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 27 PID 836 wrote to memory of 1356 836 45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe"C:\Users\Admin\AppData\Local\Temp\45887113e41e462de1693b88876d8b5b4ca313bfdba7ad3f6a33def3c6472e4f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\toozua.exe"C:\Users\Admin\toozua.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1356
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD5f67315307b3148ab7fb17038e881acfe
SHA1d573b404829ba50d11598dff67adb79d242af822
SHA2567143a336025b82634c851b5b1181dc63e5a2bd1dca0fa2a96c602da307dc0069
SHA512a20d7f0c83823f963248137f405c02ba456b892a34f793c2bd6435653a605a32d38442d47d78154b08b5fe38a250136c745e53c4d5ed8077c52ff9c721cd2621
-
Filesize
248KB
MD5f67315307b3148ab7fb17038e881acfe
SHA1d573b404829ba50d11598dff67adb79d242af822
SHA2567143a336025b82634c851b5b1181dc63e5a2bd1dca0fa2a96c602da307dc0069
SHA512a20d7f0c83823f963248137f405c02ba456b892a34f793c2bd6435653a605a32d38442d47d78154b08b5fe38a250136c745e53c4d5ed8077c52ff9c721cd2621
-
Filesize
248KB
MD5f67315307b3148ab7fb17038e881acfe
SHA1d573b404829ba50d11598dff67adb79d242af822
SHA2567143a336025b82634c851b5b1181dc63e5a2bd1dca0fa2a96c602da307dc0069
SHA512a20d7f0c83823f963248137f405c02ba456b892a34f793c2bd6435653a605a32d38442d47d78154b08b5fe38a250136c745e53c4d5ed8077c52ff9c721cd2621
-
Filesize
248KB
MD5f67315307b3148ab7fb17038e881acfe
SHA1d573b404829ba50d11598dff67adb79d242af822
SHA2567143a336025b82634c851b5b1181dc63e5a2bd1dca0fa2a96c602da307dc0069
SHA512a20d7f0c83823f963248137f405c02ba456b892a34f793c2bd6435653a605a32d38442d47d78154b08b5fe38a250136c745e53c4d5ed8077c52ff9c721cd2621