272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925

General

Target

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
Size

224KB
MD5

276ea683aea51e676f728ab681972cfe
SHA1

3482a245e220bf80453897ffb9ce36eb77df9272
SHA256

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925
SHA512

aa318d01d800f77893471365cb9a9d5f5998dde91583a0b4d9c5fb0b586756170a6167cc5e6db8eca4a5534b20a96943d296378af67fd7e46c8f5948afb984f9
SSDEEP

1536:z7r/YQsVV5awoIZsh0CF+sKE0C1rZL4H0c2BHtg1/J+iZAb+g9WCyiHC/XRG1iFg:jAQa5MOFCsv/CL0jJMNWCyiHC31psL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

suaimu.exe272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	suaimu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

Executes dropped EXE 1 IoCs

Processes:

suaimu.exe

pid process

2240 suaimu.exe

pid	process
2240	suaimu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

suaimu.exe272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /l"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /p"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /o"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /e"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /q"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /f"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /t"	suaimu.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /y"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /k"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /z"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /h"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /u"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /x"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /j"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /i"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /a"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /d"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /r"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /c"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /f"	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /m"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /s"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /n"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /g"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /w"	suaimu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\suaimu = "C:\\Users\\Admin\\suaimu.exe /v"	suaimu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exesuaimu.exe

pid	process
4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe
2240	suaimu.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exesuaimu.exe

pid	process
4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
2240	suaimu.exe
2240	suaimu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe

description	pid	process	target process
PID 4232 wrote to memory of 2240	4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe	suaimu.exe
PID 4232 wrote to memory of 2240	4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe	suaimu.exe
PID 4232 wrote to memory of 2240	4232	272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe	suaimu.exe

C:\Users\Admin\AppData\Local\Temp\272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe
"C:\Users\Admin\AppData\Local\Temp\272e4215237515acfeb3d6a818660b97e46b85a90fbb8f0404dc4d44e6cda925.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\suaimu.exe
"C:\Users\Admin\suaimu.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\suaimu.exe

Filesize
224KB

MD5
65623952c6a0c8eebbd0b8088e2cf484

SHA1
661f0ca08acaadb8dae7eb14506cab967923693c

SHA256
56f67b8bada3c69bf3ccedfc5b888d4538b2c34c32ea1304d6c3d6dcb041969c

SHA512
662e0c3c90b43afdc4620dbf0fa5a0c5f283d88a647b93dcd4d728f523b456f6caec70f1e0fc777e638c07fe768c60e71230f86d0341de4d2013466899845c09

Download Submit
C:\Users\Admin\suaimu.exe

Filesize
224KB

MD5
65623952c6a0c8eebbd0b8088e2cf484

SHA1
661f0ca08acaadb8dae7eb14506cab967923693c

SHA256
56f67b8bada3c69bf3ccedfc5b888d4538b2c34c32ea1304d6c3d6dcb041969c

SHA512
662e0c3c90b43afdc4620dbf0fa5a0c5f283d88a647b93dcd4d728f523b456f6caec70f1e0fc777e638c07fe768c60e71230f86d0341de4d2013466899845c09

Download Submit
memory/2240-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads