d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
Size

232KB
MD5

0edcff3ea8dd37080e1f56cf56a7e3cc
SHA1

dbfbbc90433539738c320eb9b745bcb31624bf6e
SHA256

d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332
SHA512

414146740e6049a749ecd3df4820ad1a15efc6dd891815579ec0f44ef4040bc90e471c047814d6bb47a9fbbfc6a37fe4c0f2ac2e544b2bacd0d05df4dab9a2e3
SSDEEP

6144:T83PFKs78g2KyEOaWEqxF6snji81RUinKdNOA1:yPh+mFf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	douut.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	douut.exe

Loads dropped DLL 2 IoCs

pid	Process
368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /x"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /b"	douut.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /i"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /n"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /j"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /a"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /v"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /h"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /q"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /d"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /p"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /j"	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /l"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /y"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /z"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /k"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /o"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /m"	douut.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /w"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /r"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /g"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /c"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /f"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /s"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /e"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /t"	douut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\douut = "C:\\Users\\Admin\\douut.exe /u"	douut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe
1728	douut.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
1728	douut.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1728	368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe	27
PID 368 wrote to memory of 1728	368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe	27
PID 368 wrote to memory of 1728	368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe	27
PID 368 wrote to memory of 1728	368	d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe	27

C:\Users\Admin\AppData\Local\Temp\d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe
"C:\Users\Admin\AppData\Local\Temp\d005fa42e2626ef38b5414845a10a53fe946605206321e4a64e6a9ba13771332.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\douut.exe
  "C:\Users\Admin\douut.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\douut.exe

Filesize
232KB

MD5
c11c6359f8388ffd397cae8f4744489c

SHA1
a151f017c9cf61822fdd09ae8f41a541510a99b4

SHA256
474a12e1eb3144c74a0d5add26125ac02a6677bbdb3f55f1cde8d4767ed9b6ae

SHA512
0754131c199f3108c10dbadc82922bf680438f07e280cd1d2403c627d255fafae1edc6564f1fd3a07663f170eaa8a6e13561ccc11027e985e3b69b512793790e

Download Submit
C:\Users\Admin\douut.exe

Filesize
232KB

MD5
c11c6359f8388ffd397cae8f4744489c

SHA1
a151f017c9cf61822fdd09ae8f41a541510a99b4

SHA256
474a12e1eb3144c74a0d5add26125ac02a6677bbdb3f55f1cde8d4767ed9b6ae

SHA512
0754131c199f3108c10dbadc82922bf680438f07e280cd1d2403c627d255fafae1edc6564f1fd3a07663f170eaa8a6e13561ccc11027e985e3b69b512793790e

Download Submit
\Users\Admin\douut.exe

Filesize
232KB

MD5
c11c6359f8388ffd397cae8f4744489c

SHA1
a151f017c9cf61822fdd09ae8f41a541510a99b4

SHA256
474a12e1eb3144c74a0d5add26125ac02a6677bbdb3f55f1cde8d4767ed9b6ae

SHA512
0754131c199f3108c10dbadc82922bf680438f07e280cd1d2403c627d255fafae1edc6564f1fd3a07663f170eaa8a6e13561ccc11027e985e3b69b512793790e

Download Submit
\Users\Admin\douut.exe

Filesize
232KB

MD5
c11c6359f8388ffd397cae8f4744489c

SHA1
a151f017c9cf61822fdd09ae8f41a541510a99b4

SHA256
474a12e1eb3144c74a0d5add26125ac02a6677bbdb3f55f1cde8d4767ed9b6ae

SHA512
0754131c199f3108c10dbadc82922bf680438f07e280cd1d2403c627d255fafae1edc6564f1fd3a07663f170eaa8a6e13561ccc11027e985e3b69b512793790e

Download Submit
memory/368-56-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download