b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1

General

Target

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Size

224KB
MD5

271b8ed644e1a0d7174656cb92043a20
SHA1

e746d5103325e5e42f1ff9440630cc90f0e1562d
SHA256

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1
SHA512

68075c200a99efbe0410e25be0e0c6a5ea6cca355585ed61e3fb77285a36a9a570faae1ae810b1da63b799fe6763540e97d1406f04b292ca0f864333eb932ce1
SSDEEP

3072:hiYc7aWbqDImDrT+UvtkvnNBLieMyiayNe2XKrJlZmNlDY:hFAuImDrT+U1QtMyiaO6mS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exevuulec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vuulec.exe

Executes dropped EXE 1 IoCs

Processes:

vuulec.exe

pid process

612 vuulec.exe

pid	process
612	vuulec.exe

Loads dropped DLL 2 IoCs

Processes:

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe

pid	process
1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vuulec.exeb9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /N"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /f"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /T"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /k"	vuulec.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /s"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /a"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /G"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /O"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /d"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /B"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /P"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /w"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /x"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /y"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /A"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /q"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /Y"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /V"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /M"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /U"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /X"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /c"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /b"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /J"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /j"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /r"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /e"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /i"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /t"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /D"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /I"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /l"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /u"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /p"	vuulec.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /C"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /Q"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /K"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /h"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /z"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /n"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /W"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /Z"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /S"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /v"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /m"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /F"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /o"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /E"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /H"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /j"	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /R"	vuulec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuulec = "C:\\Users\\Admin\\vuulec.exe /L"	vuulec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exevuulec.exe

pid	process
1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe
612	vuulec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exevuulec.exe

pid process

1760 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
612 vuulec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe

description	pid	process	target process
PID 1760 wrote to memory of 612	1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe	vuulec.exe
PID 1760 wrote to memory of 612	1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe	vuulec.exe
PID 1760 wrote to memory of 612	1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe	vuulec.exe
PID 1760 wrote to memory of 612	1760	b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe	vuulec.exe

C:\Users\Admin\AppData\Local\Temp\b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
"C:\Users\Admin\AppData\Local\Temp\b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\vuulec.exe
"C:\Users\Admin\vuulec.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vuulec.exe
Filesize
224KB

MD5
11de8a98d0497f0a5a467f4ac7be740f

SHA1
da3c87831b39b008de5743d39c026a41cb1b4743

SHA256
3bd752d7b55462772e2578ba2eefb00d09022c6b3f7c5237c7cda24209fe8217

SHA512
1cca963f6f8523603aa71158f29ba4ca3b81c2181b233e425db6be0526025a6b0f7f7858f239438575424e6464d568804ea7c004d7d4ce5faee5b49275127dee

Download Submit
C:\Users\Admin\vuulec.exe
Filesize
224KB

MD5
11de8a98d0497f0a5a467f4ac7be740f

SHA1
da3c87831b39b008de5743d39c026a41cb1b4743

SHA256
3bd752d7b55462772e2578ba2eefb00d09022c6b3f7c5237c7cda24209fe8217

SHA512
1cca963f6f8523603aa71158f29ba4ca3b81c2181b233e425db6be0526025a6b0f7f7858f239438575424e6464d568804ea7c004d7d4ce5faee5b49275127dee

Download Submit
\Users\Admin\vuulec.exe
Filesize
224KB

MD5
11de8a98d0497f0a5a467f4ac7be740f

SHA1
da3c87831b39b008de5743d39c026a41cb1b4743

SHA256
3bd752d7b55462772e2578ba2eefb00d09022c6b3f7c5237c7cda24209fe8217

SHA512
1cca963f6f8523603aa71158f29ba4ca3b81c2181b233e425db6be0526025a6b0f7f7858f239438575424e6464d568804ea7c004d7d4ce5faee5b49275127dee

Download Submit
\Users\Admin\vuulec.exe
Filesize
224KB

MD5
11de8a98d0497f0a5a467f4ac7be740f

SHA1
da3c87831b39b008de5743d39c026a41cb1b4743

SHA256
3bd752d7b55462772e2578ba2eefb00d09022c6b3f7c5237c7cda24209fe8217

SHA512
1cca963f6f8523603aa71158f29ba4ca3b81c2181b233e425db6be0526025a6b0f7f7858f239438575424e6464d568804ea7c004d7d4ce5faee5b49275127dee

Download Submit
memory/612-59-0x0000000000000000-mapping.dmp

Download
memory/1760-56-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads