e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
Size

80KB
MD5

a027aaadff99a8b4c2d7a0d6b5ac36dd
SHA1

dd228f5b88d30876b0d5163656b12cb22682dda5
SHA256

e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6
SHA512

18633eac8e7962186b2d74fa9d659bd2a0186e01c14e0461aee0652df5829050d78a93df4edc6907533c1d16431bef45a20fe298ae73e0422a97b9277e28f5f3
SSDEEP

1536:4fduVU67gccYy53JDAAZpW4oYkguWe3i6E27:OdQU67h7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	toeeyub.exe

Executes dropped EXE 1 IoCs

pid	Process
1296	toeeyub.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /z"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /o"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /q"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /e"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /f"	toeeyub.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /h"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /x"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /g"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /d"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /s"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /i"	toeeyub.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /a"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /r"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /w"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /m"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /k"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /j"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /y"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /v"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /r"	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /c"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /t"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /u"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /l"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /p"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /n"	toeeyub.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toeeyub = "C:\\Users\\Admin\\toeeyub.exe /b"	toeeyub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe
1296	toeeyub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
1296	toeeyub.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1296	4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe	83
PID 4844 wrote to memory of 1296	4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe	83
PID 4844 wrote to memory of 1296	4844	e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe	83

C:\Users\Admin\AppData\Local\Temp\e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe
"C:\Users\Admin\AppData\Local\Temp\e6c2176d3ee5917143173c90556486ff44d1e50f803701ea5e33189a268626e6.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\toeeyub.exe
  "C:\Users\Admin\toeeyub.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\toeeyub.exe

Filesize
80KB

MD5
ea1253b9b09a59e65c56dbb11d851cb8

SHA1
f9906a9ede59d42564212707f8e8d8782e04f1bb

SHA256
9949426999402290cbb444b2f1fe7b2f50f0a836a1e3d41e9f7e9a3c6af5fce8

SHA512
882a327e19f7d66b278b1f2f59f1d83e96d513e32b5b863db3744bed5282e09d6970ea115bcdfa99d97b03c80d7942c7d27d10baa13edcdda7d3a2b246319f56

Download Submit
C:\Users\Admin\toeeyub.exe

Filesize
80KB

MD5
ea1253b9b09a59e65c56dbb11d851cb8

SHA1
f9906a9ede59d42564212707f8e8d8782e04f1bb

SHA256
9949426999402290cbb444b2f1fe7b2f50f0a836a1e3d41e9f7e9a3c6af5fce8

SHA512
882a327e19f7d66b278b1f2f59f1d83e96d513e32b5b863db3744bed5282e09d6970ea115bcdfa99d97b03c80d7942c7d27d10baa13edcdda7d3a2b246319f56

Download Submit