Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe
-
Size
77KB
-
MD5
0e9b8463345930628df21745a1028930
-
SHA1
cb3ca436e1338132eb577fa1f1b19c56235abfba
-
SHA256
0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8
-
SHA512
d967b94e3922ee5d3ba55a0ea4e853a9f98b1e488f27bbf744cd02d94f2a4cc4c88468523f4a35a3be5cf8f51764ca9694e87571b46ff89ca5fba8014fcdb784
-
SSDEEP
1536:0Y2s8S9p15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0x:Z2s8S9p15Bx8pEttgdO/mXpgWXOJgQmv
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puiduu.exe -
Executes dropped EXE 1 IoCs
pid Process 5072 puiduu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ puiduu.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiduu = "C:\\Users\\Admin\\puiduu.exe" puiduu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe 5072 puiduu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 384 0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe 5072 puiduu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 384 wrote to memory of 5072 384 0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe 80 PID 384 wrote to memory of 5072 384 0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe 80 PID 384 wrote to memory of 5072 384 0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe 80 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79 PID 5072 wrote to memory of 384 5072 puiduu.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe"C:\Users\Admin\AppData\Local\Temp\0641657e8e9b9da06e1c957e820341a9cecca44b47b8d510228cceda1728f9c8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\puiduu.exe"C:\Users\Admin\puiduu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5a368a0a7b43ad00d33e90c522bb91af5
SHA1d7ee3df9ec9fb10ea4e233680b9c758cd52118a1
SHA2568fda61ecc3df6afa3ecf651309802732a7928e5c7170aeaeacb8c63acd68a0bc
SHA5125264a7fcab60100abc66046eb45663c0fd42518e4adc020e345df9cd59e87f2b01fa762f15d3c5102fe1cb99241a7523b79bb63c5728e23f806e2ac9afe91038
-
Filesize
77KB
MD5a368a0a7b43ad00d33e90c522bb91af5
SHA1d7ee3df9ec9fb10ea4e233680b9c758cd52118a1
SHA2568fda61ecc3df6afa3ecf651309802732a7928e5c7170aeaeacb8c63acd68a0bc
SHA5125264a7fcab60100abc66046eb45663c0fd42518e4adc020e345df9cd59e87f2b01fa762f15d3c5102fe1cb99241a7523b79bb63c5728e23f806e2ac9afe91038