Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
Resource
win10v2004-20220812-en
General
-
Target
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
-
Size
224KB
-
MD5
173d587752501adc66abc51591ddd7b0
-
SHA1
c3e4fcbebb3f54093ef225e8bf27b8c6a6bc7079
-
SHA256
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502
-
SHA512
27ceac3c9b575bc043293061baa2a412182149744c4ab72cd0e4c28fd8d1b9b8326320bf48d078b60de5d7ff1ffd70664206c89279603f8d42193b5fe0b7b059
-
SSDEEP
3072:RXyqNsMoBuBoZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax26:gqN5BMp4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exeveuwoex.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" veuwoex.exe -
Executes dropped EXE 1 IoCs
Processes:
veuwoex.exepid process 1104 veuwoex.exe -
Loads dropped DLL 2 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exepid process 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
veuwoex.exe73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /f" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /s" veuwoex.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /o" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /a" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /y" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /e" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /b" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /m" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /d" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /g" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /t" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /s" 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /r" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /z" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /h" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /k" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /q" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /c" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /i" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /p" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /l" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /w" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /j" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /u" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /n" veuwoex.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /v" veuwoex.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\veuwoex = "C:\\Users\\Admin\\veuwoex.exe /x" veuwoex.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exeveuwoex.exepid process 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe 1104 veuwoex.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exeveuwoex.exepid process 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 1104 veuwoex.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exedescription pid process target process PID 1476 wrote to memory of 1104 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe veuwoex.exe PID 1476 wrote to memory of 1104 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe veuwoex.exe PID 1476 wrote to memory of 1104 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe veuwoex.exe PID 1476 wrote to memory of 1104 1476 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe veuwoex.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe"C:\Users\Admin\AppData\Local\Temp\73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\veuwoex.exe"C:\Users\Admin\veuwoex.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD57b2d308c0950a430e0c1587f10817239
SHA134937ffea5657660a59b0a8f5dde0188f19a91c0
SHA256b5773b27b4c1faa2c9c9e6570d266fe533cd7543648faad4bcf799578c6a856c
SHA5128b64925ffad426d90f56016480b02b4ae796337b4f3282550428c796e64cceff79a4ac4f00781a3153a93dea542834fdb711bd575cce4d97df06804706e81b09
-
Filesize
224KB
MD57b2d308c0950a430e0c1587f10817239
SHA134937ffea5657660a59b0a8f5dde0188f19a91c0
SHA256b5773b27b4c1faa2c9c9e6570d266fe533cd7543648faad4bcf799578c6a856c
SHA5128b64925ffad426d90f56016480b02b4ae796337b4f3282550428c796e64cceff79a4ac4f00781a3153a93dea542834fdb711bd575cce4d97df06804706e81b09
-
Filesize
224KB
MD57b2d308c0950a430e0c1587f10817239
SHA134937ffea5657660a59b0a8f5dde0188f19a91c0
SHA256b5773b27b4c1faa2c9c9e6570d266fe533cd7543648faad4bcf799578c6a856c
SHA5128b64925ffad426d90f56016480b02b4ae796337b4f3282550428c796e64cceff79a4ac4f00781a3153a93dea542834fdb711bd575cce4d97df06804706e81b09
-
Filesize
224KB
MD57b2d308c0950a430e0c1587f10817239
SHA134937ffea5657660a59b0a8f5dde0188f19a91c0
SHA256b5773b27b4c1faa2c9c9e6570d266fe533cd7543648faad4bcf799578c6a856c
SHA5128b64925ffad426d90f56016480b02b4ae796337b4f3282550428c796e64cceff79a4ac4f00781a3153a93dea542834fdb711bd575cce4d97df06804706e81b09