eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c

Analysis

max time kernel
150s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
Size

100KB
MD5

925b91661d2fa7922a1320f1ea659de1
SHA1

06dcbaca995e1db0de92afb654121068a519eff2
SHA256

eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c
SHA512

2aa5fedeb52b7c8caff7a6e3a687a73a23ec1e901e9eddaac346b211a677ebef4d47fddc9ad8a2122280e8f86f05d77ab7c56bd9b4bd53f052aa24c861615e63
SSDEEP

1536:1bY8iAuismyws8iLw0wF9MGM9K/oKtNgCMbA1bL3N+NM5UfaNIjnZmb:Cd/KLOM5pCnYb

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sooed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe

Executes dropped EXE 1 IoCs

pid	Process
3424	sooed.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /X"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /g"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /G"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /x"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /s"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /n"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /A"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /h"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /z"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /C"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /b"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /i"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /O"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /P"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /a"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /V"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /N"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /E"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /w"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /M"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /y"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /j"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /t"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /S"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /r"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /B"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /Y"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /k"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /l"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /c"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /v"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /I"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /u"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /K"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /T"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /S"	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /Z"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /Q"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /J"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /e"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /p"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /d"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /D"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /W"	sooed.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /f"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /R"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /q"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /L"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /H"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /U"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /F"	sooed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sooed = "C:\\Users\\Admin\\sooed.exe /o"	sooed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe
3424	sooed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
3424	sooed.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 3424	1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe	83
PID 1776 wrote to memory of 3424	1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe	83
PID 1776 wrote to memory of 3424	1776	eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe	83

C:\Users\Admin\AppData\Local\Temp\eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe
"C:\Users\Admin\AppData\Local\Temp\eca3858443297fda6dc124edd142916813a372390715b52182b91ccda5aec87c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\sooed.exe
  "C:\Users\Admin\sooed.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sooed.exe

Filesize
100KB

MD5
babb30dbdd23234cfb8e0ccdbeb4ed0a

SHA1
d9a7217e8d2c293ff88aa6eb375a6ccad9266bf3

SHA256
33149217182b3597ab3a350008ca9a4c7ab061d9794958b83806cd46556e57ae

SHA512
15b16f7ef651f6e31164a4e2f236cbbfcb1a40e40a569fd5ddedcee28cfd8a955d97279b694eceb9eccd4e944cbe7a863020de5d5d3c3f74db2b24e79d421c0d

Download Submit
C:\Users\Admin\sooed.exe

Filesize
100KB

MD5
babb30dbdd23234cfb8e0ccdbeb4ed0a

SHA1
d9a7217e8d2c293ff88aa6eb375a6ccad9266bf3

SHA256
33149217182b3597ab3a350008ca9a4c7ab061d9794958b83806cd46556e57ae

SHA512
15b16f7ef651f6e31164a4e2f236cbbfcb1a40e40a569fd5ddedcee28cfd8a955d97279b694eceb9eccd4e944cbe7a863020de5d5d3c3f74db2b24e79d421c0d

Download Submit