8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
Size

156KB
MD5

0f6a8a08a556eeca535656b7a132d094
SHA1

a56e7d9409523b016c2513128a0133278c8d8331
SHA256

8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7
SHA512

d6c8700607f8b692bcab6c645c08a6db5972caca0581984b7aac88b1de56d2f11c477c03267ac0aa223678c93eacd34ae81bf2ec2ef64e3112ebf7d9b4f2820b
SSDEEP

3072:PNMtfS4aZhJdxKPE+vgu36MN9vqKyHjm6I1JDVOc2W4oQZiET+o:6m7d0zvhqMN9vgjm6ILDVOAWX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	voimoed.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe

Executes dropped EXE 1 IoCs

pid	Process
612	voimoed.exe

Loads dropped DLL 2 IoCs

pid	Process
1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /R"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /K"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /j"	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /Q"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /v"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /H"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /o"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /X"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /V"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /a"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /I"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /j"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /Z"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /i"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /e"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /u"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /t"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /L"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /z"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /W"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /N"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /x"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /M"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /G"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /S"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /E"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /U"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /q"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /d"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /n"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /m"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /c"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /h"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /p"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /k"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /C"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /s"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /l"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /g"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /A"	voimoed.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /J"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /Y"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /b"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /f"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /P"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /T"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /O"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /F"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /w"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /D"	voimoed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voimoed = "C:\\Users\\Admin\\voimoed.exe /y"	voimoed.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	voimoed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe
612	voimoed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
612	voimoed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 612	1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe	28
PID 1932 wrote to memory of 612	1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe	28
PID 1932 wrote to memory of 612	1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe	28
PID 1932 wrote to memory of 612	1932	8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe	28

C:\Users\Admin\AppData\Local\Temp\8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe
"C:\Users\Admin\AppData\Local\Temp\8382f86b49e3582d9bae5f38cb3d197c2dfe5aa4c1638c802471eb55b09d87b7.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\voimoed.exe
  "C:\Users\Admin\voimoed.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\voimoed.exe

Filesize
156KB

MD5
5d75663b096d5a0b748cdeb865534414

SHA1
142c4014d63a02e03501d2732124422f5993549b

SHA256
4f11779fb8615f439a87bd4db69f0c0df295d7a59b7a3fd6e302225ff68cd437

SHA512
fd7d10b2f2a61bd2b229a856fd0cf1c368632208c21a86be459cf1a2d8709895afc7ff0cace1353464ddb4ab4d21faa78ae26f7e8cdecebdc7ec1380606f3a7e

Download Submit
C:\Users\Admin\voimoed.exe

Filesize
156KB

MD5
5d75663b096d5a0b748cdeb865534414

SHA1
142c4014d63a02e03501d2732124422f5993549b

SHA256
4f11779fb8615f439a87bd4db69f0c0df295d7a59b7a3fd6e302225ff68cd437

SHA512
fd7d10b2f2a61bd2b229a856fd0cf1c368632208c21a86be459cf1a2d8709895afc7ff0cace1353464ddb4ab4d21faa78ae26f7e8cdecebdc7ec1380606f3a7e

Download Submit
\Users\Admin\voimoed.exe

Filesize
156KB

MD5
5d75663b096d5a0b748cdeb865534414

SHA1
142c4014d63a02e03501d2732124422f5993549b

SHA256
4f11779fb8615f439a87bd4db69f0c0df295d7a59b7a3fd6e302225ff68cd437

SHA512
fd7d10b2f2a61bd2b229a856fd0cf1c368632208c21a86be459cf1a2d8709895afc7ff0cace1353464ddb4ab4d21faa78ae26f7e8cdecebdc7ec1380606f3a7e

Download Submit
\Users\Admin\voimoed.exe

Filesize
156KB

MD5
5d75663b096d5a0b748cdeb865534414

SHA1
142c4014d63a02e03501d2732124422f5993549b

SHA256
4f11779fb8615f439a87bd4db69f0c0df295d7a59b7a3fd6e302225ff68cd437

SHA512
fd7d10b2f2a61bd2b229a856fd0cf1c368632208c21a86be459cf1a2d8709895afc7ff0cace1353464ddb4ab4d21faa78ae26f7e8cdecebdc7ec1380606f3a7e

Download Submit
memory/1932-56-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download