5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 02:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
Size

84KB
MD5

7617ddfba7a110bb5820e2508cfdd7f2
SHA1

02d6908fa28be4fafb9aea3bde66bf8d36a066f3
SHA256

5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da
SHA512

57f78d04109301467be891c43abc0e5f32f20f8918d421ab7d4342f6763b1a4b8c217e95066ebc1acd86ee5c00d60d0e47c59a2a2288bbedcfb491e40af44eb5
SSDEEP

1536:osedgu+16Lti8n42APNR2dcScLcPcxeTanuUHWOms3xxNMq39gk34iS5v:Fe4PNEdcScLcPcfnuS0hv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bouiku.exe

Executes dropped EXE 1 IoCs

pid	Process
1320	bouiku.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /j"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /j"	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /z"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /i"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /p"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /w"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /d"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /h"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /a"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /b"	bouiku.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /o"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /n"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /s"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /r"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /g"	bouiku.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /v"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /l"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /y"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /u"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /x"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /t"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /e"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /m"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /q"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /c"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /k"	bouiku.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bouiku = "C:\\Users\\Admin\\bouiku.exe /f"	bouiku.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe
1320	bouiku.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
1320	bouiku.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1320	4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe	83
PID 4760 wrote to memory of 1320	4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe	83
PID 4760 wrote to memory of 1320	4760	5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe	83

C:\Users\Admin\AppData\Local\Temp\5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe
"C:\Users\Admin\AppData\Local\Temp\5b51d0345826404ee1361892689409975a2af2b71d8ab348b1f84a14127da9da.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\bouiku.exe
  "C:\Users\Admin\bouiku.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bouiku.exe

Filesize
84KB

MD5
d76e6075671c8714f85976a1aafdfbc2

SHA1
57e3dd516e0dd834f06599d5a5b13e2c73d60c9e

SHA256
df57675bf074e69246424a3d079826d2f1c94155e2e00da2062a8089334c0202

SHA512
490d82f478831e5dd2623ec0110501994a730674ee1be39c5c0b90a862d7752ffc77bd203883e61953c728ff1d7fcd6bbe978c4d050aaa18833ffed7e6cfc262

Download Submit
C:\Users\Admin\bouiku.exe

Filesize
84KB

MD5
d76e6075671c8714f85976a1aafdfbc2

SHA1
57e3dd516e0dd834f06599d5a5b13e2c73d60c9e

SHA256
df57675bf074e69246424a3d079826d2f1c94155e2e00da2062a8089334c0202

SHA512
490d82f478831e5dd2623ec0110501994a730674ee1be39c5c0b90a862d7752ffc77bd203883e61953c728ff1d7fcd6bbe978c4d050aaa18833ffed7e6cfc262

Download Submit