52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe

General

Target

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
Size

156KB
MD5

1acb541c4d588455777cc14b34dea100
SHA1

18fa51087b108886b4cdb61a66607e3d3219ab55
SHA256

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe
SHA512

f1cab42de84cdc1e35684a7a3061a35f4e1a06e96a285aa969842bb22f7729ae03cb8b0080751d16e7313dc8cb3d865e7d2d9bc48740377b181aa1790d8b665c
SSDEEP

3072:MK3gJdOYt+Vvu/5gEsSy8dH0pLaATo4oi6Yp4oQZiEIo:neqvuTD0pLa2o4uYDWV

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exetoitueq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	toitueq.exe

Executes dropped EXE 1 IoCs

Processes:

toitueq.exe

pid process

5096 toitueq.exe

pid	process
5096	toitueq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

toitueq.exe52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /T"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /y"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /f"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /w"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /n"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /a"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /k"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /d"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /b"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /e"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /X"	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /g"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /S"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /R"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /m"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /L"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /X"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /z"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /s"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /Z"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /v"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /o"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /D"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /t"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /A"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /c"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /l"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /F"	toitueq.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /V"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /E"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /P"	toitueq.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /M"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /Q"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /K"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /C"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /G"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /u"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /Y"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /B"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /W"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /O"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /h"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /U"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /I"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /i"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /N"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /p"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /r"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /J"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /j"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /H"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /x"	toitueq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\toitueq = "C:\\Users\\Admin\\toitueq.exe /q"	toitueq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exetoitueq.exe

pid	process
4568	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
4568	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe
5096	toitueq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exetoitueq.exe

pid process

4568 52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
5096 toitueq.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe

description	pid	process	target process
PID 4568 wrote to memory of 5096	4568	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe	toitueq.exe
PID 4568 wrote to memory of 5096	4568	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe	toitueq.exe
PID 4568 wrote to memory of 5096	4568	52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe	toitueq.exe

C:\Users\Admin\AppData\Local\Temp\52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe
"C:\Users\Admin\AppData\Local\Temp\52b2e8816899d67ab95751c2be7da6c0b3afc00f7bd8c9bfd24de9c7569530fe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\toitueq.exe
"C:\Users\Admin\toitueq.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\toitueq.exe

Filesize
156KB

MD5
bea65d0c768633f7b1e3bb2f8dc18866

SHA1
f93792acd973863f9e17885f6503f8a2c9851f95

SHA256
7d21b3d917588a232ba8932e5c8af23f78b8048230ab823891c76743f23e7e43

SHA512
b1887ba8b7615385cddf2258a06344231ca3c34184b69eb8f0c19435fde982ecf0b9d096684be77de18d6b4f79029c28e6c77ee9253ba1b8b27cfc8e5f6ac04f

Download Submit
C:\Users\Admin\toitueq.exe

Filesize
156KB

MD5
bea65d0c768633f7b1e3bb2f8dc18866

SHA1
f93792acd973863f9e17885f6503f8a2c9851f95

SHA256
7d21b3d917588a232ba8932e5c8af23f78b8048230ab823891c76743f23e7e43

SHA512
b1887ba8b7615385cddf2258a06344231ca3c34184b69eb8f0c19435fde982ecf0b9d096684be77de18d6b4f79029c28e6c77ee9253ba1b8b27cfc8e5f6ac04f

Download Submit
memory/5096-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads