072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946

Analysis

max time kernel
153s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
Size

260KB
MD5

68783982570e9f4db68fb3b73604f2d4
SHA1

33193f7080f148ed4554239057a67ba17e7e3fa0
SHA256

072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946
SHA512

7add90ad7438c9ac68f0533b2336e5ccc499fc7b69f8a6ed96f901b9e506db7a01e180bb5cc8b17bdfa51307703c18d998a4d1f27f1809cb569cf3a4e5c1e474
SSDEEP

6144:cCBZxrVG3zzyXcM9ZoxtoFIZ93Cv8A/DPPiZi6u:NNIzzyXcM9ZoxtoFIZ93Cv8A/DXau

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fiewiu.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	fiewiu.exe

Loads dropped DLL 2 IoCs

pid	Process
1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /U"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /k"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /b"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /M"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /R"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /O"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /v"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /P"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /Y"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /W"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /V"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /j"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /h"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /L"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /w"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /e"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /y"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /T"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /t"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /F"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /K"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /H"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /S"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /g"	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /X"	fiewiu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /d"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /z"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /A"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /a"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /G"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /Z"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /p"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /o"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /q"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /B"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /i"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /f"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /C"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /J"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /m"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /E"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /c"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /N"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /g"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /r"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /n"	fiewiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /Q"	fiewiu.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fiewiu = "C:\\Users\\Admin\\fiewiu.exe /x"	fiewiu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe
1736	fiewiu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
1736	fiewiu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1736	1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe	28
PID 1744 wrote to memory of 1736	1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe	28
PID 1744 wrote to memory of 1736	1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe	28
PID 1744 wrote to memory of 1736	1744	072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe	28

C:\Users\Admin\AppData\Local\Temp\072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe
"C:\Users\Admin\AppData\Local\Temp\072b23420d45a89ddbc232a70f7cf08980a4539228fe6e092208523d42d51946.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\fiewiu.exe
  "C:\Users\Admin\fiewiu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\fiewiu.exe

Filesize
260KB

MD5
c8caf8b8054ec27f740560c1c9feea8a

SHA1
838e99046fdc7b80f1bb60a32bede349fb9f3671

SHA256
11a98b8563c4e60907d9a0a31dc81d83e9fce1ebaca274045aca9f3979a632dc

SHA512
8f488a9cfad07c5e8d5177fe0638be52888abf9421f6316be3f374ce1f697ccf70f38cb9198ac1bb5dd55bce4c05ceade107777e4f2d97a7776b7591f2e2a4f2

Download Submit
C:\Users\Admin\fiewiu.exe

Filesize
260KB

MD5
c8caf8b8054ec27f740560c1c9feea8a

SHA1
838e99046fdc7b80f1bb60a32bede349fb9f3671

SHA256
11a98b8563c4e60907d9a0a31dc81d83e9fce1ebaca274045aca9f3979a632dc

SHA512
8f488a9cfad07c5e8d5177fe0638be52888abf9421f6316be3f374ce1f697ccf70f38cb9198ac1bb5dd55bce4c05ceade107777e4f2d97a7776b7591f2e2a4f2

Download Submit
\Users\Admin\fiewiu.exe

Filesize
260KB

MD5
c8caf8b8054ec27f740560c1c9feea8a

SHA1
838e99046fdc7b80f1bb60a32bede349fb9f3671

SHA256
11a98b8563c4e60907d9a0a31dc81d83e9fce1ebaca274045aca9f3979a632dc

SHA512
8f488a9cfad07c5e8d5177fe0638be52888abf9421f6316be3f374ce1f697ccf70f38cb9198ac1bb5dd55bce4c05ceade107777e4f2d97a7776b7591f2e2a4f2

Download Submit
\Users\Admin\fiewiu.exe

Filesize
260KB

MD5
c8caf8b8054ec27f740560c1c9feea8a

SHA1
838e99046fdc7b80f1bb60a32bede349fb9f3671

SHA256
11a98b8563c4e60907d9a0a31dc81d83e9fce1ebaca274045aca9f3979a632dc

SHA512
8f488a9cfad07c5e8d5177fe0638be52888abf9421f6316be3f374ce1f697ccf70f38cb9198ac1bb5dd55bce4c05ceade107777e4f2d97a7776b7591f2e2a4f2

Download Submit
memory/1744-56-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download