7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8

Analysis

max time kernel
156s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2022 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
Size

390KB
MD5

4529fecf664706a64c26f877cb00fa42
SHA1

8275776b9ea9bb6b29d34fe083d7295b824a19aa
SHA256

7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8
SHA512

2928b8b04fd33e3beb25807f0fc4b9c2f72d955b3bce7d300c001ff4b859bb2fe75e47d17c2ea3e060b3f8cd6d77d46b699339d10508bad6dbf534666114f0d9
SSDEEP

6144:LoJNVPEqg/pAtAhGmwdQ/Qvx5BIxhYBDmow3MBjknT/Ls/VhddiglZXT:LEVPKpmAhJe20x5GwBSoQodT4q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gsSL32G1g4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	juoerer.exe

Executes dropped EXE 3 IoCs

pid	Process
3912	gsSL32G1g4.exe
1820	awhost.exe
3624	juoerer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	gsSL32G1g4.exe

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /u"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /n"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /T"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /S"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /Y"	juoerer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /r"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /M"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /D"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /P"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /v"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /s"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /d"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /J"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /x"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /A"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /F"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /Z"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /p"	juoerer.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	gsSL32G1g4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /v"	gsSL32G1g4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /w"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /W"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /Q"	juoerer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juoerer = "C:\\Users\\Admin\\juoerer.exe /L"	juoerer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4872 set thread context of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2516	1820	WerFault.exe	92
3304	1820	WerFault.exe	92

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2568	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3912	gsSL32G1g4.exe
3912	gsSL32G1g4.exe
3912	gsSL32G1g4.exe
3912	gsSL32G1g4.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe
3624	juoerer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	tasklist.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
3912	gsSL32G1g4.exe
3624	juoerer.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 4872 wrote to memory of 1252	4872	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	86
PID 1252 wrote to memory of 3912	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	89
PID 1252 wrote to memory of 3912	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	89
PID 1252 wrote to memory of 3912	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	89
PID 1252 wrote to memory of 1820	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	92
PID 1252 wrote to memory of 1820	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	92
PID 1252 wrote to memory of 1820	1252	7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe	92
PID 3912 wrote to memory of 3624	3912	gsSL32G1g4.exe	95
PID 3912 wrote to memory of 3624	3912	gsSL32G1g4.exe	95
PID 3912 wrote to memory of 3624	3912	gsSL32G1g4.exe	95
PID 3912 wrote to memory of 1736	3912	gsSL32G1g4.exe	98
PID 3912 wrote to memory of 1736	3912	gsSL32G1g4.exe	98
PID 3912 wrote to memory of 1736	3912	gsSL32G1g4.exe	98
PID 1736 wrote to memory of 2568	1736	cmd.exe	100
PID 1736 wrote to memory of 2568	1736	cmd.exe	100
PID 1736 wrote to memory of 2568	1736	cmd.exe	100
PID 1820 wrote to memory of 2516	1820	awhost.exe	101
PID 1820 wrote to memory of 2516	1820	awhost.exe	101
PID 1820 wrote to memory of 2516	1820	awhost.exe	101
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100
PID 3624 wrote to memory of 2568	3624	juoerer.exe	100

C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
"C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\AppData\Local\Temp\7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
  7b0ce96021abcef8f0e3ba3ecd43618c7033025513b81ea8bf39e2cefaf0cce8.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\gsSL32G1g4.exe
    C:\Users\Admin\gsSL32G1g4.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\juoerer.exe
      "C:\Users\Admin\juoerer.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del gsSL32G1g4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
- - C:\Users\Admin\awhost.exe
    C:\Users\Admin\awhost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 420
      4⤵
      Program crash
      PID:2516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 420
      4⤵
      Program crash
      PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\awhost.exe

Filesize
147KB

MD5
c1f93ef271b9b62ba07e68c653e19a52

SHA1
92844479d30e93c8b3136d898322809c9e72df2b

SHA256
c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

SHA512
196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

Download Submit
C:\Users\Admin\awhost.exe

Filesize
147KB

MD5
c1f93ef271b9b62ba07e68c653e19a52

SHA1
92844479d30e93c8b3136d898322809c9e72df2b

SHA256
c109fe9a2bd01b52b0281b9ad5cc8b7a0e79beaee86fcbd86dab49649c8e249e

SHA512
196224afe15ab4782bfa805b0ea98c66065e935f4a17ba0b42f9db7bd6108454e58f2145ee75525b0e587f303ff9f0a46b28eb3c8414b68fb531085b305d1e30

Download Submit
C:\Users\Admin\gsSL32G1g4.exe

Filesize
156KB

MD5
38222ccc41836dee63bf60b5511575dd

SHA1
a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

SHA256
6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

SHA512
c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

Download Submit
C:\Users\Admin\gsSL32G1g4.exe

Filesize
156KB

MD5
38222ccc41836dee63bf60b5511575dd

SHA1
a60e47ef0f8979ecc9ef11a2e446003b52e0e1a1

SHA256
6cc93c8c02fdb2f11a9290049aadf87f30521a14b715da3a9b78362be2eb5c96

SHA512
c8447f42b4c63f879b266fa068ced3bef2505c522dfea16d800a7d476cdc2ae8eff022b441c0f003293088bb22d43c4d8bf0ee753604644f4e5d80ee809054aa

Download Submit
C:\Users\Admin\juoerer.exe

Filesize
156KB

MD5
e665b67d4cb2b8567770603df2377ef9

SHA1
10412b22f6bbcceff9ecfbd2b61935bad4ee55e3

SHA256
c23298d01f9fa2cc0b5399dfa42a958a65dcf5de46d32a220fec37733f54d5f9

SHA512
8813a75da69e16b269aac2191f495ecc93bb33d50067ced3e9273745ef46ca9f6200cd381f54df748ebd90e8b68fb158855c26021c772551068ec7af22adfa81

Download Submit
C:\Users\Admin\juoerer.exe

Filesize
156KB

MD5
e665b67d4cb2b8567770603df2377ef9

SHA1
10412b22f6bbcceff9ecfbd2b61935bad4ee55e3

SHA256
c23298d01f9fa2cc0b5399dfa42a958a65dcf5de46d32a220fec37733f54d5f9

SHA512
8813a75da69e16b269aac2191f495ecc93bb33d50067ced3e9273745ef46ca9f6200cd381f54df748ebd90e8b68fb158855c26021c772551068ec7af22adfa81

Download Submit
memory/1252-137-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1252-135-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/1252-133-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download