c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 23:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
Size

212KB
MD5

93bb09a1fafc1f6de28f1826258cf5a0
SHA1

bb1bb588d0ab78558e5b65f6a2a5b18ab2071e38
SHA256

c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa
SHA512

3144371dffd9b85acc506b3e1f2193983a3bc49b003db5ac8b70240e59b7f272087dbbedb27f8df52e89aa6a6b0dc7e77ba91bff5733f3e2cbeffb386518777f
SSDEEP

6144:UCKkFwzWQMO8J0bqihew3b7KvfCBnn78MDxG6oRKnvmb7/D26NhHmpfXJNRXV:LKkFwl8J0egew3bevfY78MDxG6oRKnvD

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	daefaoh.exe

Executes dropped EXE 1 IoCs

pid	Process
1792	daefaoh.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /e"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /k"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /G"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /C"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /j"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /b"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /t"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /K"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /X"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /w"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /u"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /Y"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /E"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /J"	daefaoh.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /m"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /a"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /Z"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /T"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /A"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /x"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /p"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /c"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /f"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /s"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /P"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /Q"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /D"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /N"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /y"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /U"	daefaoh.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /H"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /O"	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /V"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /l"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /O"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /z"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /R"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /d"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /B"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /S"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /r"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /W"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /q"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /F"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /h"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /M"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /I"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /g"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /o"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /L"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /i"	daefaoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\daefaoh = "C:\\Users\\Admin\\daefaoh.exe /n"	daefaoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe
1792	daefaoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
1792	daefaoh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1792	1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe	27
PID 1148 wrote to memory of 1792	1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe	27
PID 1148 wrote to memory of 1792	1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe	27
PID 1148 wrote to memory of 1792	1148	c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe	27

C:\Users\Admin\AppData\Local\Temp\c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe
"C:\Users\Admin\AppData\Local\Temp\c2aab49975484a5a045e1a7337156234b878b09266e223aede105f8250728eaa.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\daefaoh.exe
  "C:\Users\Admin\daefaoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\daefaoh.exe

Filesize
212KB

MD5
fc895045c7446c6d53c8629b3a8de9fc

SHA1
dc7f0147644b060509dc9aa5f041aa3d2a90a4de

SHA256
d7d1d708c5db4ec3aee9cf877eb36a221a466e6f95ccecf74162ab7b9287e8ce

SHA512
7196a21a779ab0a7d2c720dc4cb2a1adf4eea4ac000a7772ade0628ed34432435cb35db97d04888c0b88749af7965ed20446dbffe438744b2e5ad34585145e8e

Download Submit
C:\Users\Admin\daefaoh.exe

Filesize
212KB

MD5
fc895045c7446c6d53c8629b3a8de9fc

SHA1
dc7f0147644b060509dc9aa5f041aa3d2a90a4de

SHA256
d7d1d708c5db4ec3aee9cf877eb36a221a466e6f95ccecf74162ab7b9287e8ce

SHA512
7196a21a779ab0a7d2c720dc4cb2a1adf4eea4ac000a7772ade0628ed34432435cb35db97d04888c0b88749af7965ed20446dbffe438744b2e5ad34585145e8e

Download Submit
\Users\Admin\daefaoh.exe

Filesize
212KB

MD5
fc895045c7446c6d53c8629b3a8de9fc

SHA1
dc7f0147644b060509dc9aa5f041aa3d2a90a4de

SHA256
d7d1d708c5db4ec3aee9cf877eb36a221a466e6f95ccecf74162ab7b9287e8ce

SHA512
7196a21a779ab0a7d2c720dc4cb2a1adf4eea4ac000a7772ade0628ed34432435cb35db97d04888c0b88749af7965ed20446dbffe438744b2e5ad34585145e8e

Download Submit
\Users\Admin\daefaoh.exe

Filesize
212KB

MD5
fc895045c7446c6d53c8629b3a8de9fc

SHA1
dc7f0147644b060509dc9aa5f041aa3d2a90a4de

SHA256
d7d1d708c5db4ec3aee9cf877eb36a221a466e6f95ccecf74162ab7b9287e8ce

SHA512
7196a21a779ab0a7d2c720dc4cb2a1adf4eea4ac000a7772ade0628ed34432435cb35db97d04888c0b88749af7965ed20446dbffe438744b2e5ad34585145e8e

Download Submit
memory/1148-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download