9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
Size

228KB
MD5

0db6da162ddfb5b82cd0d2d35fa6bbeb
SHA1

d509cfc21745aea23fb992e6ecc313d18234e8ce
SHA256

9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b
SHA512

08f828c94aed8a04a5dcad635dad02ab86d3788920ccdc2b7db4e4f3ca5570a19ed052881365483a864a608cf4a856bd1b1056414c83f41538eef74273230203
SSDEEP

6144:lwGDh4jLt4NVcWgyGELwXiS8T+bbhn7aRjS5ZgBbJ:GGWntWyD1LiS8lS5ZI

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	maifaaz.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe

Executes dropped EXE 1 IoCs

pid	Process
1316	maifaaz.exe

Loads dropped DLL 2 IoCs

pid	Process
1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /K"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /e"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /P"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /L"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /Q"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /W"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /H"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /O"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /g"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /d"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /h"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /Y"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /p"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /A"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /N"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /C"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /U"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /w"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /S"	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /r"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /F"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /D"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /s"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /l"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /a"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /M"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /j"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /J"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /b"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /z"	maifaaz.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /m"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /u"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /c"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /G"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /E"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /I"	maifaaz.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /t"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /T"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /i"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /n"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /x"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /f"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /B"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /Z"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /S"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /V"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /X"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /y"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /R"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /o"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /v"	maifaaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\maifaaz = "C:\\Users\\Admin\\maifaaz.exe /k"	maifaaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe
1316	maifaaz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
1316	maifaaz.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1316	1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe	27
PID 1280 wrote to memory of 1316	1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe	27
PID 1280 wrote to memory of 1316	1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe	27
PID 1280 wrote to memory of 1316	1280	9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe	27

C:\Users\Admin\AppData\Local\Temp\9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe
"C:\Users\Admin\AppData\Local\Temp\9fa8c0261bc2b332e463c07c741fdf9925260e2b17ccf007816405d264cd578b.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\maifaaz.exe
  "C:\Users\Admin\maifaaz.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\maifaaz.exe

Filesize
228KB

MD5
48eeda9a89590a91b4dcba3b16a8172a

SHA1
4ecf6abe7d0aa87a4434d7f0b7e97cd2149fdc2a

SHA256
56f1f2ce537dcbf9eb22ace07e9f83a24f1fdcaa073e496c2143d9815166a44f

SHA512
167797a744b7a2577084d274e5fed4677dd9fe172aee22f1e89e000e60f49ccd7ebe40caf8a70d696f9a57b8c2569f30927b48de9cbd4b302e21fe66b79ac5e4

Download Submit
C:\Users\Admin\maifaaz.exe

Filesize
228KB

MD5
48eeda9a89590a91b4dcba3b16a8172a

SHA1
4ecf6abe7d0aa87a4434d7f0b7e97cd2149fdc2a

SHA256
56f1f2ce537dcbf9eb22ace07e9f83a24f1fdcaa073e496c2143d9815166a44f

SHA512
167797a744b7a2577084d274e5fed4677dd9fe172aee22f1e89e000e60f49ccd7ebe40caf8a70d696f9a57b8c2569f30927b48de9cbd4b302e21fe66b79ac5e4

Download Submit
\Users\Admin\maifaaz.exe

Filesize
228KB

MD5
48eeda9a89590a91b4dcba3b16a8172a

SHA1
4ecf6abe7d0aa87a4434d7f0b7e97cd2149fdc2a

SHA256
56f1f2ce537dcbf9eb22ace07e9f83a24f1fdcaa073e496c2143d9815166a44f

SHA512
167797a744b7a2577084d274e5fed4677dd9fe172aee22f1e89e000e60f49ccd7ebe40caf8a70d696f9a57b8c2569f30927b48de9cbd4b302e21fe66b79ac5e4

Download Submit
\Users\Admin\maifaaz.exe

Filesize
228KB

MD5
48eeda9a89590a91b4dcba3b16a8172a

SHA1
4ecf6abe7d0aa87a4434d7f0b7e97cd2149fdc2a

SHA256
56f1f2ce537dcbf9eb22ace07e9f83a24f1fdcaa073e496c2143d9815166a44f

SHA512
167797a744b7a2577084d274e5fed4677dd9fe172aee22f1e89e000e60f49ccd7ebe40caf8a70d696f9a57b8c2569f30927b48de9cbd4b302e21fe66b79ac5e4

Download Submit
memory/1280-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download