b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc

General

Target

b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
Size

77KB
MD5

b4d5d82b3b40b044f447ed1ec3d3f89f
SHA1

16febcd3b8f972e01271d91d4a1676f15d6ad0ea
SHA256

b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc
SHA512

7639a9a0e034abff038cc21c4cfa0195b135f85d80a97db52559b86ee628ce16d59559532f09becf85f207452bd2cedb72aa02bd6b84c8279038303339232ecd
SSDEEP

1536:0RfFwS4S15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0m:AfFwXS15Bx8pEttgdO/mXpgWXOJgQmmy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

vouguu.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vouguu.exe

Executes dropped EXE 1 IoCs

Processes:

vouguu.exe

pid process

1924 vouguu.exe

Loads dropped DLL 2 IoCs

Processes:

b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe

pid	process
1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vouguu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vouguu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vouguu = "C:\\Users\\Admin\\vouguu.exe"	vouguu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vouguu.exe

pid	process
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe
1924	vouguu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exevouguu.exe

pid process

1228 b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
1924 vouguu.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exevouguu.exe

description	pid	process	target process
PID 1228 wrote to memory of 1924	1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe	vouguu.exe
PID 1228 wrote to memory of 1924	1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe	vouguu.exe
PID 1228 wrote to memory of 1924	1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe	vouguu.exe
PID 1228 wrote to memory of 1924	1228	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe	vouguu.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
PID 1924 wrote to memory of 1228	1924	vouguu.exe	b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe

C:\Users\Admin\AppData\Local\Temp\b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe
"C:\Users\Admin\AppData\Local\Temp\b292b62fe86dd9c3bd799c35b84a58ab58c439738f35c109547e1005bc9a8abc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\vouguu.exe
"C:\Users\Admin\vouguu.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vouguu.exe

Filesize
77KB

MD5
d7347ac3e0d39c613b5c11b7ee8c633b

SHA1
75b9cc53ad68c552cdf9cc49db2d9eeb6c6ce11a

SHA256
d26681ffc9ffeece3d3c04b25cd57b335ddfe57847ea9093c1b7dd2c46bda6b2

SHA512
24d52f46d7ec7d0317bc7590c83199470eb23571e58f0ffd7b66d5e714f1e0ee9567b1cc35228e3e08d46a02fd740762b87df6510bd234f4b3667b715afa54b9

Download Submit
C:\Users\Admin\vouguu.exe

Filesize
77KB

MD5
d7347ac3e0d39c613b5c11b7ee8c633b

SHA1
75b9cc53ad68c552cdf9cc49db2d9eeb6c6ce11a

SHA256
d26681ffc9ffeece3d3c04b25cd57b335ddfe57847ea9093c1b7dd2c46bda6b2

SHA512
24d52f46d7ec7d0317bc7590c83199470eb23571e58f0ffd7b66d5e714f1e0ee9567b1cc35228e3e08d46a02fd740762b87df6510bd234f4b3667b715afa54b9

Download Submit
\Users\Admin\vouguu.exe

Filesize
77KB

MD5
d7347ac3e0d39c613b5c11b7ee8c633b

SHA1
75b9cc53ad68c552cdf9cc49db2d9eeb6c6ce11a

SHA256
d26681ffc9ffeece3d3c04b25cd57b335ddfe57847ea9093c1b7dd2c46bda6b2

SHA512
24d52f46d7ec7d0317bc7590c83199470eb23571e58f0ffd7b66d5e714f1e0ee9567b1cc35228e3e08d46a02fd740762b87df6510bd234f4b3667b715afa54b9

Download Submit
\Users\Admin\vouguu.exe

Filesize
77KB

MD5
d7347ac3e0d39c613b5c11b7ee8c633b

SHA1
75b9cc53ad68c552cdf9cc49db2d9eeb6c6ce11a

SHA256
d26681ffc9ffeece3d3c04b25cd57b335ddfe57847ea9093c1b7dd2c46bda6b2

SHA512
24d52f46d7ec7d0317bc7590c83199470eb23571e58f0ffd7b66d5e714f1e0ee9567b1cc35228e3e08d46a02fd740762b87df6510bd234f4b3667b715afa54b9

Download Submit
memory/1228-56-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1924-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads