fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b

General

Target

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
Size

152KB
MD5

368ac0927921f7aa3bb88ec0eabfe720
SHA1

89c3446e03917a90aa1a9b4b5fcc9cd6053e200f
SHA256

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b
SHA512

bffa31685aead2666c4b48ad2ffb31ec7505ce47fb93a1bc2706fee5ca67b01f64c5370c2ddf0f6fa81930c335742b66e824b27426d5026fdee6dc17f0affe37
SSDEEP

3072:y3s/Yvl3Po5+tTjFqV+t3DRGCKBiAKE4oQZiEBfz:MQ5+t8+NDR5ApWj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exexooquu.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xooquu.exe

Executes dropped EXE 1 IoCs

Processes:

xooquu.exe

pid process

1484 xooquu.exe

pid	process
1484	xooquu.exe

Loads dropped DLL 2 IoCs

Processes:

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe

pid	process
1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xooquu.exefe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /R"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /l"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /u"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /z"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /M"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /D"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /b"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /e"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /W"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /a"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /X"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /H"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /V"	xooquu.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /n"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /N"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /d"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /T"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /t"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /x"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /K"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /m"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /L"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /y"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /i"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /H"	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /j"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /P"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /U"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /O"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /s"	xooquu.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /o"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /J"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /Z"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /Q"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /Y"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /h"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /G"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /g"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /k"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /S"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /p"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /f"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /A"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /w"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /B"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /v"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /E"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /I"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /F"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /c"	xooquu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\xooquu = "C:\\Users\\Admin\\xooquu.exe /C"	xooquu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exexooquu.exe

pid	process
1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe
1484	xooquu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exexooquu.exe

pid process

1088 fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
1484 xooquu.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe

description	pid	process	target process
PID 1088 wrote to memory of 1484	1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe	xooquu.exe
PID 1088 wrote to memory of 1484	1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe	xooquu.exe
PID 1088 wrote to memory of 1484	1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe	xooquu.exe
PID 1088 wrote to memory of 1484	1088	fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe	xooquu.exe

C:\Users\Admin\AppData\Local\Temp\fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe
"C:\Users\Admin\AppData\Local\Temp\fe4066548b5b7c39f4248ad7c0b0572ebc3f90494fbf5919a46c2b77b2a7a98b.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\xooquu.exe
"C:\Users\Admin\xooquu.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xooquu.exe

Filesize
152KB

MD5
e88c5e9118f0b19a8b280a795f32abe9

SHA1
b065c1572e148d5a135e4cec32732d7cbee773f3

SHA256
89e5cdfbe50db6226a5c5b86fe8b0bb056d084b3d117b206571a953f03d99aae

SHA512
9b050d5c74b408ad7992c92b1803e41b4b5fa9aef4c74fc23f408e21416bd14e04e3408f9b16594e08d66f8c181a1086a055150056dc64d135a92aabc0642964

Download Submit
C:\Users\Admin\xooquu.exe

Filesize
152KB

MD5
e88c5e9118f0b19a8b280a795f32abe9

SHA1
b065c1572e148d5a135e4cec32732d7cbee773f3

SHA256
89e5cdfbe50db6226a5c5b86fe8b0bb056d084b3d117b206571a953f03d99aae

SHA512
9b050d5c74b408ad7992c92b1803e41b4b5fa9aef4c74fc23f408e21416bd14e04e3408f9b16594e08d66f8c181a1086a055150056dc64d135a92aabc0642964

Download Submit
\Users\Admin\xooquu.exe

Filesize
152KB

MD5
e88c5e9118f0b19a8b280a795f32abe9

SHA1
b065c1572e148d5a135e4cec32732d7cbee773f3

SHA256
89e5cdfbe50db6226a5c5b86fe8b0bb056d084b3d117b206571a953f03d99aae

SHA512
9b050d5c74b408ad7992c92b1803e41b4b5fa9aef4c74fc23f408e21416bd14e04e3408f9b16594e08d66f8c181a1086a055150056dc64d135a92aabc0642964

Download Submit
\Users\Admin\xooquu.exe

Filesize
152KB

MD5
e88c5e9118f0b19a8b280a795f32abe9

SHA1
b065c1572e148d5a135e4cec32732d7cbee773f3

SHA256
89e5cdfbe50db6226a5c5b86fe8b0bb056d084b3d117b206571a953f03d99aae

SHA512
9b050d5c74b408ad7992c92b1803e41b4b5fa9aef4c74fc23f408e21416bd14e04e3408f9b16594e08d66f8c181a1086a055150056dc64d135a92aabc0642964

Download Submit
memory/1088-69-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1088-57-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1088-65-0x0000000002E00000-0x0000000002E2D000-memory.dmp

Filesize
180KB

Download
memory/1088-66-0x0000000002E00000-0x0000000002E2D000-memory.dmp

Filesize
180KB

Download
memory/1088-70-0x0000000002E00000-0x0000000002E2D000-memory.dmp

Filesize
180KB

Download
memory/1484-60-0x0000000000000000-mapping.dmp

Download
memory/1484-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1484-71-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads