fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde

Analysis

max time kernel
152s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
Size

212KB
MD5

910839cb6b172870dcf2e6f91b573f19
SHA1

e681db75bd71c4c4a028c68b97409bd21fc24be4
SHA256

fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde
SHA512

37ca95e3b75f57925d79f6a5d994e138771768eaee782f9c9d918f64c041517f8e832257a4c16b2e9882e8b86de123844747d5ebd8fe6d0b9af7ebeebbb5084e
SSDEEP

1536:Gx0ZFRldoIXG/CRYlI4cd9Lv2PElgWzNoN274B/K51ptaHElfTczpyFar2/AgAIK:+WR/oI1qGp+aNoN2N0YAcXHi

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	suejo.exe

Executes dropped EXE 1 IoCs

pid	Process
1740	suejo.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /s"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /x"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /u"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /j"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /v"	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /r"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /m"	suejo.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /f"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /k"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /t"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /v"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /h"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /q"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /o"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /l"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /n"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /d"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /p"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /g"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /b"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /i"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /e"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /w"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /a"	suejo.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /y"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /c"	suejo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\suejo = "C:\\Users\\Admin\\suejo.exe /z"	suejo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe
1740	suejo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
1740	suejo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1740	2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe	28
PID 2012 wrote to memory of 1740	2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe	28
PID 2012 wrote to memory of 1740	2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe	28
PID 2012 wrote to memory of 1740	2012	fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe	28

C:\Users\Admin\AppData\Local\Temp\fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe
"C:\Users\Admin\AppData\Local\Temp\fa6796a144baa096092ec1d01ffc192ab0c7480721f9c683405b00e9f2052bde.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\suejo.exe
  "C:\Users\Admin\suejo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\suejo.exe

Filesize
212KB

MD5
024d939fbda4e9dbdaa358282c852eb0

SHA1
a5379566a4b86d9fdde1b7246fef6f6057978425

SHA256
835c9f7a3fdfe5fe443b652043f139553ab9bf7ebf96f8978881c4d7a01758ff

SHA512
be544381a7b2be4749f0849bfcdc8683f189d4b6fb36f2ba8d66bcc83cc92c240b7f79e7bf89f5792ceddac57311cf7f6b0eab5caacce14e1b1888a9f16285a5

Download Submit
C:\Users\Admin\suejo.exe

Filesize
212KB

MD5
024d939fbda4e9dbdaa358282c852eb0

SHA1
a5379566a4b86d9fdde1b7246fef6f6057978425

SHA256
835c9f7a3fdfe5fe443b652043f139553ab9bf7ebf96f8978881c4d7a01758ff

SHA512
be544381a7b2be4749f0849bfcdc8683f189d4b6fb36f2ba8d66bcc83cc92c240b7f79e7bf89f5792ceddac57311cf7f6b0eab5caacce14e1b1888a9f16285a5

Download Submit
\Users\Admin\suejo.exe

Filesize
212KB

MD5
024d939fbda4e9dbdaa358282c852eb0

SHA1
a5379566a4b86d9fdde1b7246fef6f6057978425

SHA256
835c9f7a3fdfe5fe443b652043f139553ab9bf7ebf96f8978881c4d7a01758ff

SHA512
be544381a7b2be4749f0849bfcdc8683f189d4b6fb36f2ba8d66bcc83cc92c240b7f79e7bf89f5792ceddac57311cf7f6b0eab5caacce14e1b1888a9f16285a5

Download Submit
\Users\Admin\suejo.exe

Filesize
212KB

MD5
024d939fbda4e9dbdaa358282c852eb0

SHA1
a5379566a4b86d9fdde1b7246fef6f6057978425

SHA256
835c9f7a3fdfe5fe443b652043f139553ab9bf7ebf96f8978881c4d7a01758ff

SHA512
be544381a7b2be4749f0849bfcdc8683f189d4b6fb36f2ba8d66bcc83cc92c240b7f79e7bf89f5792ceddac57311cf7f6b0eab5caacce14e1b1888a9f16285a5

Download Submit
memory/2012-56-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download