Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
Resource
win10v2004-20220812-en
General
-
Target
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe
-
Size
224KB
-
MD5
271b8ed644e1a0d7174656cb92043a20
-
SHA1
e746d5103325e5e42f1ff9440630cc90f0e1562d
-
SHA256
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1
-
SHA512
68075c200a99efbe0410e25be0e0c6a5ea6cca355585ed61e3fb77285a36a9a570faae1ae810b1da63b799fe6763540e97d1406f04b292ca0f864333eb932ce1
-
SSDEEP
3072:hiYc7aWbqDImDrT+UvtkvnNBLieMyiayNe2XKrJlZmNlDY:hFAuImDrT+U1QtMyiaO6mS
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
doalui.exeb9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" doalui.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe -
Executes dropped EXE 1 IoCs
Processes:
doalui.exepid process 3752 doalui.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe -
Adds Run key to start application 2 TTPs 55 IoCs
Processes:
doalui.exeb9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /e" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /M" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /A" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /z" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /V" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /U" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /E" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /m" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /h" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /b" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /x" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /f" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /L" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /j" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /u" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /S" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /w" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /d" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /Y" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /n" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /D" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /T" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /O" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /J" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /a" b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /W" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /q" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /v" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /Q" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /g" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /l" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /F" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /r" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /s" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /i" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /P" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /y" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /k" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /K" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /H" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /o" doalui.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\ b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /R" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /I" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /X" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /B" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /a" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /C" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /c" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /N" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /t" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /Z" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /G" doalui.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doalui = "C:\\Users\\Admin\\doalui.exe /p" doalui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedoalui.exepid process 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe 3752 doalui.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedoalui.exepid process 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe 3752 doalui.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exedescription pid process target process PID 1180 wrote to memory of 3752 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe doalui.exe PID 1180 wrote to memory of 3752 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe doalui.exe PID 1180 wrote to memory of 3752 1180 b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe doalui.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe"C:\Users\Admin\AppData\Local\Temp\b9964f3110010e84048c0574f2461ca0bd876f0172a99895dc0e22eff5ee28f1.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\doalui.exe"C:\Users\Admin\doalui.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\doalui.exeFilesize
224KB
MD5cc4678206ff8af8ccbc2a4fdaea826ff
SHA164cef8672ef25651c1f028757d26b1f52f5c85b3
SHA256f53acae104848f4fe5a1132c9438590d1394b4d090bed6d955d57a12aafecedc
SHA512419c876098a34afbdddef9da2b349a5c0a3a15e0d6deab83718659d4b4bd2072cc83b74d778cf376636c74f502f6a952b7b03aa3a8cc24400f3a68306bea482d
-
C:\Users\Admin\doalui.exeFilesize
224KB
MD5cc4678206ff8af8ccbc2a4fdaea826ff
SHA164cef8672ef25651c1f028757d26b1f52f5c85b3
SHA256f53acae104848f4fe5a1132c9438590d1394b4d090bed6d955d57a12aafecedc
SHA512419c876098a34afbdddef9da2b349a5c0a3a15e0d6deab83718659d4b4bd2072cc83b74d778cf376636c74f502f6a952b7b03aa3a8cc24400f3a68306bea482d
-
memory/3752-134-0x0000000000000000-mapping.dmp