3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
Size

448KB
MD5

1bed87dc5fed160efbdc9fd32ffca023
SHA1

fbf57d3d1d2959247118d4ac50da6c9e26b42211
SHA256

3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4
SHA512

3fbc5cf28ace02d51f1500702e5a761134b5f786fab1bef82bac4dbdc689b0fd2857455de356745e2896741efa37ce5f214b9c2da5f6e25e91b6fee6dcfcd58f
SSDEEP

6144:G0op2pYUjqFk7qFoQudlhixeWrS4ijMI7cGX:G0op2pYT2QudA4gzy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	maoume.exe

Executes dropped EXE 1 IoCs

pid	Process
1996	maoume.exe

Loads dropped DLL 2 IoCs

pid	Process
1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /q"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /j"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /z"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /h"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /b"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /m"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /u"	maoume.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /n"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /t"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /y"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /l"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /x"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /k"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /p"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /d"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /f"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /j"	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /c"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /v"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /o"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /a"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /r"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /w"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /g"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /s"	maoume.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoume = "C:\\Users\\Admin\\maoume.exe /e"	maoume.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe
1996	maoume.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
1996	maoume.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1996	1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe	27
PID 1400 wrote to memory of 1996	1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe	27
PID 1400 wrote to memory of 1996	1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe	27
PID 1400 wrote to memory of 1996	1400	3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe	27

C:\Users\Admin\AppData\Local\Temp\3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe
"C:\Users\Admin\AppData\Local\Temp\3b74a6f7e38c17a1b7ff837aadbc1f5f12244d2e2cae6547bb7721486b0cafe4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\maoume.exe
  "C:\Users\Admin\maoume.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\maoume.exe

Filesize
448KB

MD5
1855db9619ef3e99acdb6d88fe8d63bd

SHA1
bb3dbc54404bfb8ebb03a11908a560903dd978b2

SHA256
8643b77b09752a60c7ac4939962f1abe08afc9f54c2004cabd2fd5b37076e3a0

SHA512
a0fbef7e535a59bf534b2db778932277d4c86ca2500bd348f4adc6f798b401f0ad81f64942b6827b47b15372d0e2b4bd4569889b5e57e8aa0dbd2fc583436b52

Download Submit
C:\Users\Admin\maoume.exe

Filesize
448KB

MD5
1855db9619ef3e99acdb6d88fe8d63bd

SHA1
bb3dbc54404bfb8ebb03a11908a560903dd978b2

SHA256
8643b77b09752a60c7ac4939962f1abe08afc9f54c2004cabd2fd5b37076e3a0

SHA512
a0fbef7e535a59bf534b2db778932277d4c86ca2500bd348f4adc6f798b401f0ad81f64942b6827b47b15372d0e2b4bd4569889b5e57e8aa0dbd2fc583436b52

Download Submit
\Users\Admin\maoume.exe

Filesize
448KB

MD5
1855db9619ef3e99acdb6d88fe8d63bd

SHA1
bb3dbc54404bfb8ebb03a11908a560903dd978b2

SHA256
8643b77b09752a60c7ac4939962f1abe08afc9f54c2004cabd2fd5b37076e3a0

SHA512
a0fbef7e535a59bf534b2db778932277d4c86ca2500bd348f4adc6f798b401f0ad81f64942b6827b47b15372d0e2b4bd4569889b5e57e8aa0dbd2fc583436b52

Download Submit
\Users\Admin\maoume.exe

Filesize
448KB

MD5
1855db9619ef3e99acdb6d88fe8d63bd

SHA1
bb3dbc54404bfb8ebb03a11908a560903dd978b2

SHA256
8643b77b09752a60c7ac4939962f1abe08afc9f54c2004cabd2fd5b37076e3a0

SHA512
a0fbef7e535a59bf534b2db778932277d4c86ca2500bd348f4adc6f798b401f0ad81f64942b6827b47b15372d0e2b4bd4569889b5e57e8aa0dbd2fc583436b52

Download Submit
memory/1400-56-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download