d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2

General

Target

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
Size

116KB
MD5

47b059248a97e2cbc4d28070100c3e10
SHA1

0f65e03a0bea15be580fcdc492e2c98ba7229108
SHA256

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2
SHA512

64e9eb05ca8f48ef3c64573e43d17fd8eae0f53a16e872d56820da75c5d33891c7042e1c529ba28aca6573983d1097976b1cc4e88fa19188261ff07a17f4dd73
SSDEEP

1536:pMVAH0FThCKSwXsr9iNN7Touxknseofc7nySqDo6xa9BhvHz5jboEl3K9MEApleh:iZhC9gsUXTDkKansivlf3KEeec

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xuozue.exe

Executes dropped EXE 2 IoCs

Processes:

xuozue.exexuozue.exe

pid process

1012 xuozue.exe
4780 xuozue.exe

pid	process
1012	xuozue.exe
4780	xuozue.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuozue = "C:\\Users\\Admin\\xuozue.exe /t"	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xuozue.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuozue = "C:\\Users\\Admin\\xuozue.exe /x"	xuozue.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

xuozue.exed16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	xuozue.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	xuozue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

xuozue.exe

description ioc process

File created C:\Users\Admin\c\autorun.inf xuozue.exe
File opened for modification C:\Users\Admin\c\autorun.inf xuozue.exe

description	ioc	process
File created	C:\Users\Admin\c\autorun.inf	xuozue.exe
File opened for modification	C:\Users\Admin\c\autorun.inf	xuozue.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exe

description	pid	process	target process
PID 4472 set thread context of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 1012 set thread context of 4780	1012	xuozue.exe	xuozue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exe

pid	process
3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
4780	xuozue.exe
4780	xuozue.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exed16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exexuozue.exe

pid	process
4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
1012	xuozue.exe
4780	xuozue.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exed16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exexuozue.exe

description	pid	process	target process
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 4472 wrote to memory of 3036	4472	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
PID 3036 wrote to memory of 1012	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	xuozue.exe
PID 3036 wrote to memory of 1012	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	xuozue.exe
PID 3036 wrote to memory of 1012	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	xuozue.exe
PID 3036 wrote to memory of 4316	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	PhotoScreensaver.scr
PID 3036 wrote to memory of 4316	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	PhotoScreensaver.scr
PID 3036 wrote to memory of 4316	3036	d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe	PhotoScreensaver.scr
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe
PID 1012 wrote to memory of 4780	1012	xuozue.exe	xuozue.exe

C:\Users\Admin\AppData\Local\Temp\d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
"C:\Users\Admin\AppData\Local\Temp\d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe
"C:\Users\Admin\AppData\Local\Temp\d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2.exe"71
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\xuozue.exe
"C:\Users\Admin\xuozue.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\xuozue.exe
"C:\Users\Admin\xuozue.exe" 71
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SysWOW64\PhotoScreensaver.scr
"C:\Windows\System32\PhotoScreensaver.scr" /S
3⤵
PID:4316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xuozue.exe

Filesize
116KB

MD5
47b059248a97e2cbc4d28070100c3e10

SHA1
0f65e03a0bea15be580fcdc492e2c98ba7229108

SHA256
d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2

SHA512
64e9eb05ca8f48ef3c64573e43d17fd8eae0f53a16e872d56820da75c5d33891c7042e1c529ba28aca6573983d1097976b1cc4e88fa19188261ff07a17f4dd73

Download Submit
C:\Users\Admin\xuozue.exe

Filesize
116KB

MD5
47b059248a97e2cbc4d28070100c3e10

SHA1
0f65e03a0bea15be580fcdc492e2c98ba7229108

SHA256
d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2

SHA512
64e9eb05ca8f48ef3c64573e43d17fd8eae0f53a16e872d56820da75c5d33891c7042e1c529ba28aca6573983d1097976b1cc4e88fa19188261ff07a17f4dd73

Download Submit
C:\Users\Admin\xuozue.exe

Filesize
116KB

MD5
47b059248a97e2cbc4d28070100c3e10

SHA1
0f65e03a0bea15be580fcdc492e2c98ba7229108

SHA256
d16164e49fd72cc4bf5edd59526b09f4b3f0733af30941432a9920f2a33f79d2

SHA512
64e9eb05ca8f48ef3c64573e43d17fd8eae0f53a16e872d56820da75c5d33891c7042e1c529ba28aca6573983d1097976b1cc4e88fa19188261ff07a17f4dd73

Download Submit
memory/1012-142-0x0000000000000000-mapping.dmp

Download
memory/3036-140-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3036-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3036-134-0x0000000000000000-mapping.dmp

Download
memory/3036-137-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3036-135-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4316-147-0x0000000000000000-mapping.dmp

Download
memory/4780-148-0x0000000000000000-mapping.dmp

Download
memory/4780-155-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4780-156-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads