0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe
Size

128KB
MD5

80d59582c57d8d15a0e21d32efd94883
SHA1

2fc940e5f34c361fa552ceec881f88c9aa073424
SHA256

0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510
SHA512

9b4563d4da399d0be48b0c65f8b98ec23e2ae1fbe9c34ef660051ae073b44c087bc30512e307384c1ada272fc215b5be294716c8fffd0acd9b368117a8cee130
SSDEEP

3072:lijow2W0SzpLS3y4CpCfCGCCOCwC9CvCFCfCLCvCUCLC2FInROUSRSGSuSQSmSNQ:Ro0SdG3yGFInRO

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	voeey.exe

Executes dropped EXE 1 IoCs

pid	Process
1352	voeey.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe
1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	voeey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeey = "C:\\Users\\Admin\\voeey.exe"	voeey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe
1352	voeey.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe
1352	voeey.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1352	1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe	26
PID 1388 wrote to memory of 1352	1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe	26
PID 1388 wrote to memory of 1352	1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe	26
PID 1388 wrote to memory of 1352	1388	0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe	26
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25
PID 1352 wrote to memory of 1388	1352	voeey.exe	25

C:\Users\Admin\AppData\Local\Temp\0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe
"C:\Users\Admin\AppData\Local\Temp\0c9d69c42c534fc77e197912dc7b88d9de77910e0801bc61d141cb9a815e3510.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\voeey.exe
  "C:\Users\Admin\voeey.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\voeey.exe

Filesize
128KB

MD5
37d223658abdb1ff73d0f5d9c065459f

SHA1
55b0e6735cba65e5fef0799541f61e42676d3de3

SHA256
d9282e7ef8ea73681530fe82faedeea3ba972517b6deca9eced9b97a58317eaf

SHA512
7afa08ec2afedeb0559a2da283c185416188bef0f6491ab70ea1912b6e61dc0abe708ace7d9ca5a35d02c5b7274e1e66ec5382178efe498047ba0671d94f71e8

Download Submit
C:\Users\Admin\voeey.exe

Filesize
128KB

MD5
37d223658abdb1ff73d0f5d9c065459f

SHA1
55b0e6735cba65e5fef0799541f61e42676d3de3

SHA256
d9282e7ef8ea73681530fe82faedeea3ba972517b6deca9eced9b97a58317eaf

SHA512
7afa08ec2afedeb0559a2da283c185416188bef0f6491ab70ea1912b6e61dc0abe708ace7d9ca5a35d02c5b7274e1e66ec5382178efe498047ba0671d94f71e8

Download Submit
\Users\Admin\voeey.exe

Filesize
128KB

MD5
37d223658abdb1ff73d0f5d9c065459f

SHA1
55b0e6735cba65e5fef0799541f61e42676d3de3

SHA256
d9282e7ef8ea73681530fe82faedeea3ba972517b6deca9eced9b97a58317eaf

SHA512
7afa08ec2afedeb0559a2da283c185416188bef0f6491ab70ea1912b6e61dc0abe708ace7d9ca5a35d02c5b7274e1e66ec5382178efe498047ba0671d94f71e8

Download Submit
\Users\Admin\voeey.exe

Filesize
128KB

MD5
37d223658abdb1ff73d0f5d9c065459f

SHA1
55b0e6735cba65e5fef0799541f61e42676d3de3

SHA256
d9282e7ef8ea73681530fe82faedeea3ba972517b6deca9eced9b97a58317eaf

SHA512
7afa08ec2afedeb0559a2da283c185416188bef0f6491ab70ea1912b6e61dc0abe708ace7d9ca5a35d02c5b7274e1e66ec5382178efe498047ba0671d94f71e8

Download Submit
memory/1388-56-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download