a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
Size

196KB
MD5

93aec714e00f2aec35d5918f99a96e42
SHA1

53e977d960b5976ca69649f834e733e1e6bff1d2
SHA256

a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b
SHA512

df457844a6320b36c285821eb17df8c1a88c08c813e83831b53448a3231365762c2dc0be7afe4b840f514690841f6c1b76d65c662f71011f1eb3e76af6f7f0a9
SSDEEP

6144:t3ayGHLLU6Pr7FXlbWc3PuV/rvGXUf39GZjJ21OhCJiviq2YWDppF7eP:t3+Pr7FXlbWc3PuV/r+XUf39GZjJ21Or

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vuayi.exe

Executes dropped EXE 1 IoCs

pid	Process
1708	vuayi.exe

Loads dropped DLL 2 IoCs

pid	Process
852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /k"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /z"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /N"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /j"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /x"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /s"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /C"	vuayi.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /e"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /p"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /B"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /d"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /n"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /b"	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /b"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /r"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /H"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /S"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /o"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /V"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /a"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /Y"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /q"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /m"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /D"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /K"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /f"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /Q"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /w"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /i"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /g"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /L"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /X"	vuayi.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /M"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /t"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /W"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /O"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /A"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /c"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /F"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /R"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /J"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /v"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /T"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /G"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /u"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /y"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /E"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /h"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /P"	vuayi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuayi = "C:\\Users\\Admin\\vuayi.exe /l"	vuayi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe
1708	vuayi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
1708	vuayi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1708	852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe	27
PID 852 wrote to memory of 1708	852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe	27
PID 852 wrote to memory of 1708	852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe	27
PID 852 wrote to memory of 1708	852	a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe	27

C:\Users\Admin\AppData\Local\Temp\a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe
"C:\Users\Admin\AppData\Local\Temp\a114b5d66ed374216e50ff20644dd019871e8caa2d4a18a9f61c91fc4c2b1a0b.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\vuayi.exe
  "C:\Users\Admin\vuayi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vuayi.exe

Filesize
196KB

MD5
66f6507f3514ea211d95e90d3e772af1

SHA1
a9ecd74fe05ddbf681baf8a17bfb399dc62fbe09

SHA256
f22134a54b5cdce657816f5e2aec447c63ffca4a2c6898845d8dc133f0dde1cb

SHA512
2e2ca97a69e68f27878007e734f03d0828303ef3faadadc6207ee72d2fa14edb9b17abfaf992098f65ecc74e61ecf0ad839fe25e731ffe2758ea2e452db00332

Download Submit
C:\Users\Admin\vuayi.exe

Filesize
196KB

MD5
66f6507f3514ea211d95e90d3e772af1

SHA1
a9ecd74fe05ddbf681baf8a17bfb399dc62fbe09

SHA256
f22134a54b5cdce657816f5e2aec447c63ffca4a2c6898845d8dc133f0dde1cb

SHA512
2e2ca97a69e68f27878007e734f03d0828303ef3faadadc6207ee72d2fa14edb9b17abfaf992098f65ecc74e61ecf0ad839fe25e731ffe2758ea2e452db00332

Download Submit
\Users\Admin\vuayi.exe

Filesize
196KB

MD5
66f6507f3514ea211d95e90d3e772af1

SHA1
a9ecd74fe05ddbf681baf8a17bfb399dc62fbe09

SHA256
f22134a54b5cdce657816f5e2aec447c63ffca4a2c6898845d8dc133f0dde1cb

SHA512
2e2ca97a69e68f27878007e734f03d0828303ef3faadadc6207ee72d2fa14edb9b17abfaf992098f65ecc74e61ecf0ad839fe25e731ffe2758ea2e452db00332

Download Submit
\Users\Admin\vuayi.exe

Filesize
196KB

MD5
66f6507f3514ea211d95e90d3e772af1

SHA1
a9ecd74fe05ddbf681baf8a17bfb399dc62fbe09

SHA256
f22134a54b5cdce657816f5e2aec447c63ffca4a2c6898845d8dc133f0dde1cb

SHA512
2e2ca97a69e68f27878007e734f03d0828303ef3faadadc6207ee72d2fa14edb9b17abfaf992098f65ecc74e61ecf0ad839fe25e731ffe2758ea2e452db00332

Download Submit
memory/852-56-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download