808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654

Analysis

max time kernel
152s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 15:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
Size

256KB
MD5

04c129b6db906ebd3bd37aa23af55991
SHA1

94c9d19fe6e52f3c82af5d26fc754fa36fae33d7
SHA256

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654
SHA512

3cdec19644502f679732ee1701e4a037ad52c137e4d89d54d958a4d6a8f127b8786d8b586f856fc637d46505f8cad8a4c74f3843afbca32b101150029346e7f6
SSDEEP

3072:k3ZVoeI0Plp/nskpCUv5T79fzCC/M7BFsqMabeYiUDoZGA33ygoe:yfxPlptNvl9fm0UBFsqMabeYiUDogmFv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xuioq.exe

Executes dropped EXE 1 IoCs

pid	Process
5032	xuioq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /H"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /o"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /P"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /T"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /A"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /c"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /p"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /u"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /Y"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /E"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /a"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /s"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /i"	xuioq.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /r"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /W"	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /Q"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /t"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /v"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /b"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /e"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /j"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /x"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /N"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /G"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /R"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /h"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /B"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /I"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /g"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /l"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /w"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /V"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /X"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /y"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /M"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /n"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /q"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /Z"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /z"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /W"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /O"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /J"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /D"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /d"	xuioq.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /U"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /f"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /k"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /S"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /L"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /K"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /C"	xuioq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuioq = "C:\\Users\\Admin\\xuioq.exe /F"	xuioq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe
5032	xuioq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
5032	xuioq.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 5032	4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe	79
PID 4284 wrote to memory of 5032	4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe	79
PID 4284 wrote to memory of 5032	4284	808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe	79

C:\Users\Admin\AppData\Local\Temp\808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe
"C:\Users\Admin\AppData\Local\Temp\808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\xuioq.exe
  "C:\Users\Admin\xuioq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5032

Network

DNS

ns1.player1352.com

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

Remote address:

8.8.8.8:53

Request

ns1.player1352.com

IN A

Response
DNS

ns1.player1352.net

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

Remote address:

8.8.8.8:53

Request

ns1.player1352.net

IN A

Response

ns1.player1352.net

IN A

35.205.61.67

93.184.220.29:80

322 B
7
35.205.61.67:8000

ns1.player1352.net

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

334 B
212 B
7
5
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7

8.8.8.8:53

ns1.player1352.com

dns

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

64 B
137 B
1
1

DNS Request

ns1.player1352.com
8.8.8.8:53

ns1.player1352.net

dns

808c745f87cbe60b1c255c83ef7d34830ec271e8906a28e5acb7a644cf1be654.exe

64 B
80 B
1
1

DNS Request

ns1.player1352.net

DNS Response

35.205.61.67

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xuioq.exe

Filesize
256KB

MD5
5a3fb182c92b9f338398e0f881168207

SHA1
dca0ab0bb7037aad087712a795bc092fd3aa91ba

SHA256
c23fc753d38f5e90c4724b7d42f8c9efca81b305e5146298856c28a19c4cafdb

SHA512
25efdd1649a4160a8ced0ca1950fae65cd14fd5dcad21a84c62b45a97d9b5181ab59f4a47c43358b129b812647f5e445906dda5ebf8c00cdd000ea4947f516a5

Download Submit
C:\Users\Admin\xuioq.exe

Filesize
256KB

MD5
5a3fb182c92b9f338398e0f881168207

SHA1
dca0ab0bb7037aad087712a795bc092fd3aa91ba

SHA256
c23fc753d38f5e90c4724b7d42f8c9efca81b305e5146298856c28a19c4cafdb

SHA512
25efdd1649a4160a8ced0ca1950fae65cd14fd5dcad21a84c62b45a97d9b5181ab59f4a47c43358b129b812647f5e445906dda5ebf8c00cdd000ea4947f516a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.