Analysis
-
max time kernel
171s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe
-
Size
108KB
-
MD5
2141ef139ad12011dd82c5f44daa93b0
-
SHA1
ad943c3b74fec0efee862c8f810ce00e965430ea
-
SHA256
755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90
-
SHA512
ff061f712e2dd692e4fa997277399db25028b703cb82257bac69fac45f1f5483880db18da16c47aa7ace5f973fc93b4cfb85caa9c882145ae166037c03610fba
-
SSDEEP
768:mhEJbN6hqGA7isJhtgTVH7NHaurxmWXOQfwoObuPb77eKL8:mhEFF7thml5lXAoO+H7r
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" boabu.exe -
Executes dropped EXE 1 IoCs
pid Process 2064 boabu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boabu = "C:\\Users\\Admin\\boabu.exe" boabu.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ boabu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe 2064 boabu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1748 755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe 2064 boabu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2064 1748 755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe 82 PID 1748 wrote to memory of 2064 1748 755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe 82 PID 1748 wrote to memory of 2064 1748 755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe 82 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81 PID 2064 wrote to memory of 1748 2064 boabu.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe"C:\Users\Admin\AppData\Local\Temp\755deb867af4c32ae8c44aacf8b7de86be81a9209c82bb312bd3778475e99f90.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\boabu.exe"C:\Users\Admin\boabu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD528d616461e76da47efb6b9231518658d
SHA112d638d333a2cbfc35d332f513076d47f9de99ce
SHA2564cc2af67849e66a4efc823c9676173989b5c3df098da924f30daa2b3600710ce
SHA5123b23a726e57bec9ef3e0476dd2c92aa90d4a7911cac82fc088f50d11712cedfcd9f0755d6363a70572c15304e2f2e053aa0f153a7e9fc47875302c41a58ac788
-
Filesize
108KB
MD528d616461e76da47efb6b9231518658d
SHA112d638d333a2cbfc35d332f513076d47f9de99ce
SHA2564cc2af67849e66a4efc823c9676173989b5c3df098da924f30daa2b3600710ce
SHA5123b23a726e57bec9ef3e0476dd2c92aa90d4a7911cac82fc088f50d11712cedfcd9f0755d6363a70572c15304e2f2e053aa0f153a7e9fc47875302c41a58ac788