Analysis
-
max time kernel
158s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 15:24
Static task
static1
Behavioral task
behavioral1
Sample
4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe
Resource
win10v2004-20220812-en
General
-
Target
4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe
-
Size
224KB
-
MD5
0c91001b09229700232adc25f9804f03
-
SHA1
2b585b95c633f5dc7225445cf668cdda983f15d4
-
SHA256
4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f
-
SHA512
bcf070f058ef090b840a38b5cdf76ce53b11f9c395b9f6e3a53c7c967c65506f6dc7081e907089959a21415736c3002334d54b477a200c0380110150dde85061
-
SSDEEP
3072:4XyqNsMoBudZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax2+l:XqN5Jp4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" daeuwe.exe -
Executes dropped EXE 1 IoCs
pid Process 1756 daeuwe.exe -
Loads dropped DLL 2 IoCs
pid Process 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /b" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /d" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /k" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /e" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /s" daeuwe.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /p" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /j" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /g" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /h" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /y" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /r" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /f" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /v" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /n" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /l" 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /w" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /x" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /m" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /i" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /z" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /q" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /c" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /l" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /t" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /o" daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /a" daeuwe.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ daeuwe.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeuwe = "C:\\Users\\Admin\\daeuwe.exe /u" daeuwe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe 1756 daeuwe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 1756 daeuwe.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1756 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 28 PID 1912 wrote to memory of 1756 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 28 PID 1912 wrote to memory of 1756 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 28 PID 1912 wrote to memory of 1756 1912 4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe"C:\Users\Admin\AppData\Local\Temp\4d061b0da741715e303796854cc932f1f1bd3952c33ade49040b734c68fbe68f.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\daeuwe.exe"C:\Users\Admin\daeuwe.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5240a57f29f15af104cfcf6caa1d1056c
SHA1c973021da6f8bcef69ff2c265c0152b9378c2c20
SHA256a0605c2d6c53ccd8fec99d1374807baf97f4014316ebfccb00cf8638fed2d290
SHA512b3f81128f1deaa5445ff0bb677a353e81aa4c9e85c8394f4e1299ca2a15fbe8f4d787333151ef29d867527bec690301c31835d56b3f46ac078aa9dd776640f3d
-
Filesize
224KB
MD5240a57f29f15af104cfcf6caa1d1056c
SHA1c973021da6f8bcef69ff2c265c0152b9378c2c20
SHA256a0605c2d6c53ccd8fec99d1374807baf97f4014316ebfccb00cf8638fed2d290
SHA512b3f81128f1deaa5445ff0bb677a353e81aa4c9e85c8394f4e1299ca2a15fbe8f4d787333151ef29d867527bec690301c31835d56b3f46ac078aa9dd776640f3d
-
Filesize
224KB
MD5240a57f29f15af104cfcf6caa1d1056c
SHA1c973021da6f8bcef69ff2c265c0152b9378c2c20
SHA256a0605c2d6c53ccd8fec99d1374807baf97f4014316ebfccb00cf8638fed2d290
SHA512b3f81128f1deaa5445ff0bb677a353e81aa4c9e85c8394f4e1299ca2a15fbe8f4d787333151ef29d867527bec690301c31835d56b3f46ac078aa9dd776640f3d
-
Filesize
224KB
MD5240a57f29f15af104cfcf6caa1d1056c
SHA1c973021da6f8bcef69ff2c265c0152b9378c2c20
SHA256a0605c2d6c53ccd8fec99d1374807baf97f4014316ebfccb00cf8638fed2d290
SHA512b3f81128f1deaa5445ff0bb677a353e81aa4c9e85c8394f4e1299ca2a15fbe8f4d787333151ef29d867527bec690301c31835d56b3f46ac078aa9dd776640f3d