Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 14:57
Static task
static1
Behavioral task
behavioral1
Sample
39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe
-
Size
248KB
-
MD5
7bc9f9f935a3aa172094b1fdfcf2cbd0
-
SHA1
4a944fa20e5604163f094b9c8984b3ec99e58f8f
-
SHA256
39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e
-
SHA512
bf39ef7a8c4c8c1e2b33c0c2bd16e701fb86d0d27898acb513801dcb7a7a26bf35345826c2d6ab69a5f79edbc5bf1334fbd252964e27b3550e75ecd7e11cda6f
-
SSDEEP
3072:+R4hIdJvRVFD1yPBYEmaHtGG2gqZ+/9A+JRjKY5Md41gfy27:P6h1yPptGG2gqZ+FfKqDsX
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" neazuuf.exe -
Executes dropped EXE 1 IoCs
pid Process 1268 neazuuf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /Q" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /O" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /T" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /C" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /n" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /K" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /s" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /A" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /G" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /R" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /W" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /P" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /H" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /B" neazuuf.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /f" 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /N" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /i" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /g" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /d" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /q" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /S" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /k" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /V" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /U" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /a" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /j" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /h" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /F" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /e" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /t" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /E" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /b" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /v" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /I" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /y" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /D" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /L" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /X" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /w" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /z" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /l" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /x" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /Y" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /p" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /Z" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /c" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /f" neazuuf.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /m" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /M" neazuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neazuuf = "C:\\Users\\Admin\\neazuuf.exe /u" neazuuf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe 1268 neazuuf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 1268 neazuuf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3292 wrote to memory of 1268 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 82 PID 3292 wrote to memory of 1268 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 82 PID 3292 wrote to memory of 1268 3292 39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe"C:\Users\Admin\AppData\Local\Temp\39514c2e75ca15d1d26ad22ca53fe874f226ff1dab88d80fa8bf518fb8cb834e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\neazuuf.exe"C:\Users\Admin\neazuuf.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1268
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD507acd1c7eebff0df583b5bbe94814fe6
SHA101171c90df4af9fd6aceac7ddd2ed2a4313593f6
SHA25635064e20cae884b693f52b27eec05f00d3dbf6d500f9fb1361311bdd6184f292
SHA512d5cc078b8ded8c0159d42239c6c3c83d7c337c89f4315517cfa32f8316fe58f30a6b9745009a572b7ba29272baa337f7384e6bbd245b0f0a9551c8f7ab181bcc
-
Filesize
248KB
MD507acd1c7eebff0df583b5bbe94814fe6
SHA101171c90df4af9fd6aceac7ddd2ed2a4313593f6
SHA25635064e20cae884b693f52b27eec05f00d3dbf6d500f9fb1361311bdd6184f292
SHA512d5cc078b8ded8c0159d42239c6c3c83d7c337c89f4315517cfa32f8316fe58f30a6b9745009a572b7ba29272baa337f7384e6bbd245b0f0a9551c8f7ab181bcc