bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4

Analysis

max time kernel
151s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
Size

128KB
MD5

a02a8691748b2c9d4723317a9bc77431
SHA1

4450428ee896a51b09e2f7be312bfa823943b449
SHA256

bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4
SHA512

08f08d6fa753333b4be80d0c5f1a9e91d92423245edfb7bca781269610a66130fd690b27ec18329c31705709f05e96959a4f6347fea69e5ffb873b377ee74075
SSDEEP

3072:LOYyjGDDIeHbomqIQ7Dq7E0zQLQTAEYP0:LPIe7XqIAq7E0zQLgAEz

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vieqal.exe

Executes dropped EXE 1 IoCs

pid	Process
1208	vieqal.exe

Loads dropped DLL 2 IoCs

pid	Process
1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /y"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /a"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /h"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /t"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /u"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /c"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /n"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /o"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /r"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /v"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /g"	vieqal.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /m"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /d"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /b"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /i"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /j"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /q"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /l"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /s"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /w"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /x"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /e"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /k"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /p"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /z"	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /j"	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vieqal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vieqal = "C:\\Users\\Admin\\vieqal.exe /f"	vieqal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe
1208	vieqal.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
1208	vieqal.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1208	1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe	27
PID 1220 wrote to memory of 1208	1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe	27
PID 1220 wrote to memory of 1208	1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe	27
PID 1220 wrote to memory of 1208	1220	bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe	27

C:\Users\Admin\AppData\Local\Temp\bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe
"C:\Users\Admin\AppData\Local\Temp\bbd9cad3edb88abc70723372b6dadfc356a6ce038cac7c729eee591ef6a7cdc4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\vieqal.exe
  "C:\Users\Admin\vieqal.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vieqal.exe

Filesize
128KB

MD5
25780341d71b32e8af9702df78de2049

SHA1
1b958c849de8cca82f9e2da234c3f0da4ef90639

SHA256
d8d0143f596442f71d8ce8b5fcb331c501570776739a4e1084f0df14fa92dfe7

SHA512
365d9c939eb0694b1155a9a45b5e851c615d88e33f8aba228edfb33c832639961586d31a720b719987c0b1ffd536dfe8cb2a037a1056b31a8e9133743f3b6f9c

Download Submit
C:\Users\Admin\vieqal.exe

Filesize
128KB

MD5
25780341d71b32e8af9702df78de2049

SHA1
1b958c849de8cca82f9e2da234c3f0da4ef90639

SHA256
d8d0143f596442f71d8ce8b5fcb331c501570776739a4e1084f0df14fa92dfe7

SHA512
365d9c939eb0694b1155a9a45b5e851c615d88e33f8aba228edfb33c832639961586d31a720b719987c0b1ffd536dfe8cb2a037a1056b31a8e9133743f3b6f9c

Download Submit
\Users\Admin\vieqal.exe

Filesize
128KB

MD5
25780341d71b32e8af9702df78de2049

SHA1
1b958c849de8cca82f9e2da234c3f0da4ef90639

SHA256
d8d0143f596442f71d8ce8b5fcb331c501570776739a4e1084f0df14fa92dfe7

SHA512
365d9c939eb0694b1155a9a45b5e851c615d88e33f8aba228edfb33c832639961586d31a720b719987c0b1ffd536dfe8cb2a037a1056b31a8e9133743f3b6f9c

Download Submit
\Users\Admin\vieqal.exe

Filesize
128KB

MD5
25780341d71b32e8af9702df78de2049

SHA1
1b958c849de8cca82f9e2da234c3f0da4ef90639

SHA256
d8d0143f596442f71d8ce8b5fcb331c501570776739a4e1084f0df14fa92dfe7

SHA512
365d9c939eb0694b1155a9a45b5e851c615d88e33f8aba228edfb33c832639961586d31a720b719987c0b1ffd536dfe8cb2a037a1056b31a8e9133743f3b6f9c

Download Submit
memory/1220-56-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download