Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 16:33
Static task
static1
Behavioral task
behavioral1
Sample
22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe
-
Size
276KB
-
MD5
0cfc1c3eec7816f466f2f87530568f81
-
SHA1
e95d16dee8dde9ef345f52d351dce285f68ddbf1
-
SHA256
22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab
-
SHA512
783a147a2311e4475d506e97ea21bcf4d676a81a75a1bdfd0fe217e6fb525571f5bde97a15e8621b9d5fa5546c42a85cf6c60b933f965557779d63c22ab03cb6
-
SSDEEP
3072:IGwXuADtev4IIT+IuGz8jt2LS/ekYeX4CPkuouXLgKE3U23X/JBICjoDDFc+xkwg:DwXuA0v1IbumBLUekY0kuZgKutJBLhHT
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zoayie.exe -
Executes dropped EXE 1 IoCs
pid Process 5100 zoayie.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /M" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /J" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /h" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /Z" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /H" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /p" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /b" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /t" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /X" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /l" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /q" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /v" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /D" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /u" zoayie.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /I" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /z" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /w" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /e" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /Y" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /r" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /E" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /s" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /U" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /V" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /c" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /y" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /L" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /e" 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /i" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /A" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /O" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /S" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /T" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /C" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /P" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /Q" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /f" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /B" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /g" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /R" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /x" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /k" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /W" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /F" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /o" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /m" zoayie.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /G" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /n" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /d" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /K" zoayie.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoayie = "C:\\Users\\Admin\\zoayie.exe /N" zoayie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe 5100 zoayie.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 5100 zoayie.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2428 wrote to memory of 5100 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 81 PID 2428 wrote to memory of 5100 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 81 PID 2428 wrote to memory of 5100 2428 22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe"C:\Users\Admin\AppData\Local\Temp\22ca2b6bed8210db67ae326515093b7e266d36f4074866a13c5098043cb6c9ab.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\zoayie.exe"C:\Users\Admin\zoayie.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD5cdb20ea60bfbc2a1d0c8380873956734
SHA19ae10b2e4d30ec5ef320058b27597c045231c12b
SHA2562095e9dd2e5e0691aabc65739e546dc451ffa8caf1ea0202542ff27f130d1812
SHA51285d1c676d0f206bdf3478a7a40e3b981e40706e6999771cf5d05247a8cf21914ab3a9bc7f8e4dcdd57f0e85e9b8fe17568836444d6d53c46c6c9fe6aefe590d8
-
Filesize
276KB
MD5cdb20ea60bfbc2a1d0c8380873956734
SHA19ae10b2e4d30ec5ef320058b27597c045231c12b
SHA2562095e9dd2e5e0691aabc65739e546dc451ffa8caf1ea0202542ff27f130d1812
SHA51285d1c676d0f206bdf3478a7a40e3b981e40706e6999771cf5d05247a8cf21914ab3a9bc7f8e4dcdd57f0e85e9b8fe17568836444d6d53c46c6c9fe6aefe590d8