e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791

Analysis

max time kernel
150s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
Size

104KB
MD5

a32df0fa8ac7be1e0480ad2add916c60
SHA1

0fd2528ed651332c52cd26e643920785a68ffb94
SHA256

e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791
SHA512

a73893383cc76bad052ad3adce92543a4516afc509305ea60004774cdb1903c4dccc3ac786a8040e14ac50da8c52dcf15e00dc60e4a0cd7f03780334d91d6e8c
SSDEEP

1536:b1shvr9f8ieh6hC3KwTHlyHcw1rqVjSxakAyBGGcJ5J9r:GhTlZehWwTHlyHBQNSxWJ9r

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bouuq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe

Executes dropped EXE 1 IoCs

pid	Process
556	bouuq.exe

Loads dropped DLL 2 IoCs

pid	Process
960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /j"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /q"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /h"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /i"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /p"	bouuq.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /z"	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /b"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /m"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /v"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /k"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /z"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /u"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /w"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /l"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /t"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /f"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /r"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /s"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /x"	bouuq.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /g"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /c"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /y"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /a"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /o"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /d"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /n"	bouuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\bouuq = "C:\\Users\\Admin\\bouuq.exe /e"	bouuq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe
556	bouuq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
556	bouuq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 556	960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe	27
PID 960 wrote to memory of 556	960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe	27
PID 960 wrote to memory of 556	960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe	27
PID 960 wrote to memory of 556	960	e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe	27

C:\Users\Admin\AppData\Local\Temp\e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe
"C:\Users\Admin\AppData\Local\Temp\e4221a3670c63dacb51d4278e0deb9d215de8a2bf75a4eebf80e6f88812d2791.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\bouuq.exe
  "C:\Users\Admin\bouuq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bouuq.exe

Filesize
104KB

MD5
50b1bbbd3bba959ce3f489998d9771e9

SHA1
a35a1a37991d1f305af2ba2fff28c49bab32de8a

SHA256
22a472092ff2988c88b1720173bbc119475ca5d5476022556325fa510d18e97c

SHA512
b6cd94c9323632dd7b167ac79d2eed8e88fa3e066110ebb079f2a4adc1fb255f79d2a653f602bc0359992daef4f795f31ebffeb178388dd38b3b0a066efdcf7f

Download Submit
C:\Users\Admin\bouuq.exe

Filesize
104KB

MD5
50b1bbbd3bba959ce3f489998d9771e9

SHA1
a35a1a37991d1f305af2ba2fff28c49bab32de8a

SHA256
22a472092ff2988c88b1720173bbc119475ca5d5476022556325fa510d18e97c

SHA512
b6cd94c9323632dd7b167ac79d2eed8e88fa3e066110ebb079f2a4adc1fb255f79d2a653f602bc0359992daef4f795f31ebffeb178388dd38b3b0a066efdcf7f

Download Submit
\Users\Admin\bouuq.exe

Filesize
104KB

MD5
50b1bbbd3bba959ce3f489998d9771e9

SHA1
a35a1a37991d1f305af2ba2fff28c49bab32de8a

SHA256
22a472092ff2988c88b1720173bbc119475ca5d5476022556325fa510d18e97c

SHA512
b6cd94c9323632dd7b167ac79d2eed8e88fa3e066110ebb079f2a4adc1fb255f79d2a653f602bc0359992daef4f795f31ebffeb178388dd38b3b0a066efdcf7f

Download Submit
\Users\Admin\bouuq.exe

Filesize
104KB

MD5
50b1bbbd3bba959ce3f489998d9771e9

SHA1
a35a1a37991d1f305af2ba2fff28c49bab32de8a

SHA256
22a472092ff2988c88b1720173bbc119475ca5d5476022556325fa510d18e97c

SHA512
b6cd94c9323632dd7b167ac79d2eed8e88fa3e066110ebb079f2a4adc1fb255f79d2a653f602bc0359992daef4f795f31ebffeb178388dd38b3b0a066efdcf7f

Download Submit
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download