dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99

General

Target

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
Size

304KB
MD5

164a65df4589670ee1b78d2c93c6f581
SHA1

b0be5ac0fb8d0f17045872f00183e1c9e1d92cdd
SHA256

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99
SHA512

b69080df8215b155d0afa68cef820e080729f0cb27ca9b29570dd71bc3bf625519e8a5eb436ceec3fa52b12a84aab6e3ad7d1ea1ef8418c83680c39bf89cdba8
SSDEEP

6144:MuK76frBNCLd6eIpAtX3r34KwUQ63owH1VMn3Nh2x:TKoBNCLd6eIpAJ3T4KB3owHXMn3NhU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exevaemou.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vaemou.exe

Executes dropped EXE 1 IoCs

Processes:

vaemou.exe

pid process

676 vaemou.exe

pid	process
676	vaemou.exe

Loads dropped DLL 2 IoCs

Processes:

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe

pid	process
2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vaemou.exedbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /r"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /f"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /p"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /C"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /L"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /W"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /R"	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /n"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /U"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /w"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /N"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /s"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /d"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /K"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /R"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /u"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /E"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /H"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /i"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /T"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /o"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /A"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /D"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /g"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /a"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /G"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /h"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /c"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /Z"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /O"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /B"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /J"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /Y"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /V"	vaemou.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /z"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /b"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /X"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /j"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /v"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /k"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /y"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /l"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /P"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /S"	vaemou.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\vaemou = "C:\\Users\\Admin\\vaemou.exe /x"	vaemou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exevaemou.exe

pid	process
2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe
676	vaemou.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exevaemou.exe

pid process

2040 dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
676 vaemou.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe

description	pid	process	target process
PID 2040 wrote to memory of 676	2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe	vaemou.exe
PID 2040 wrote to memory of 676	2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe	vaemou.exe
PID 2040 wrote to memory of 676	2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe	vaemou.exe
PID 2040 wrote to memory of 676	2040	dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe	vaemou.exe

C:\Users\Admin\AppData\Local\Temp\dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe
"C:\Users\Admin\AppData\Local\Temp\dbdf7b683bea974b797ba8c3672936ec0ab7f1abfbebb59f53562ebe8b226d99.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\vaemou.exe
"C:\Users\Admin\vaemou.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vaemou.exe

Filesize
304KB

MD5
9b0e80a23f2ee21c79a86caa938e3e34

SHA1
81cab7220372f7297416af58f5b25f5f90685375

SHA256
cebb93480be54b4e56bd361e1da2c241199d959bc4bc4839b458ca6337a08d86

SHA512
86bd7a5d1f2c52e02f9a604adc37eea46206b42c7384144b3600606c6022a9246abc4ab3bd75ff161be4587220d2674c60ddca9943180bf59dc1addd033e12eb

Download Submit
C:\Users\Admin\vaemou.exe

Filesize
304KB

MD5
9b0e80a23f2ee21c79a86caa938e3e34

SHA1
81cab7220372f7297416af58f5b25f5f90685375

SHA256
cebb93480be54b4e56bd361e1da2c241199d959bc4bc4839b458ca6337a08d86

SHA512
86bd7a5d1f2c52e02f9a604adc37eea46206b42c7384144b3600606c6022a9246abc4ab3bd75ff161be4587220d2674c60ddca9943180bf59dc1addd033e12eb

Download Submit
\Users\Admin\vaemou.exe

Filesize
304KB

MD5
9b0e80a23f2ee21c79a86caa938e3e34

SHA1
81cab7220372f7297416af58f5b25f5f90685375

SHA256
cebb93480be54b4e56bd361e1da2c241199d959bc4bc4839b458ca6337a08d86

SHA512
86bd7a5d1f2c52e02f9a604adc37eea46206b42c7384144b3600606c6022a9246abc4ab3bd75ff161be4587220d2674c60ddca9943180bf59dc1addd033e12eb

Download Submit
\Users\Admin\vaemou.exe

Filesize
304KB

MD5
9b0e80a23f2ee21c79a86caa938e3e34

SHA1
81cab7220372f7297416af58f5b25f5f90685375

SHA256
cebb93480be54b4e56bd361e1da2c241199d959bc4bc4839b458ca6337a08d86

SHA512
86bd7a5d1f2c52e02f9a604adc37eea46206b42c7384144b3600606c6022a9246abc4ab3bd75ff161be4587220d2674c60ddca9943180bf59dc1addd033e12eb

Download Submit
memory/676-59-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads