Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
Resource
win10v2004-20220812-en
General
-
Target
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe
-
Size
224KB
-
MD5
173d587752501adc66abc51591ddd7b0
-
SHA1
c3e4fcbebb3f54093ef225e8bf27b8c6a6bc7079
-
SHA256
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502
-
SHA512
27ceac3c9b575bc043293061baa2a412182149744c4ab72cd0e4c28fd8d1b9b8326320bf48d078b60de5d7ff1ffd70664206c89279603f8d42193b5fe0b7b059
-
SSDEEP
3072:RXyqNsMoBuBoZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax26:gqN5BMp4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exepaaok.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" paaok.exe -
Executes dropped EXE 1 IoCs
Processes:
paaok.exepid process 4744 paaok.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exepaaok.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /c" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /b" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /n" 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /h" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /t" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /n" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /s" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /e" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /l" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /i" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /j" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /k" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /p" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /a" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /y" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /d" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /v" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /r" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /u" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /x" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /m" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /w" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /o" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /z" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /f" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /q" paaok.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paaok = "C:\\Users\\Admin\\paaok.exe /g" paaok.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exepaaok.exepid process 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe 4744 paaok.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exepaaok.exepid process 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe 4744 paaok.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exedescription pid process target process PID 2148 wrote to memory of 4744 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe paaok.exe PID 2148 wrote to memory of 4744 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe paaok.exe PID 2148 wrote to memory of 4744 2148 73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe paaok.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe"C:\Users\Admin\AppData\Local\Temp\73a7cefe584655a547a42fc55846ad704e15cf8829b25fd41f36d5c5bcd5f502.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\paaok.exe"C:\Users\Admin\paaok.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\paaok.exeFilesize
224KB
MD559c834e5ad41a09569ee833e2121f4c9
SHA1bf29f7b8696601e5fb541147da9af9ca94d5e42c
SHA2563a2028bbd5b0c9548d412ebed8d1dd9acb8b30eeb0eb8cdfff0ee05aacb5d639
SHA5125a7976f857861d1aacf23a6f7a1e26366c4cb601cac47c19e3d1530536d341a9564c3f96ac8ea038c24119b793a575e43327ea5cc3d5a22de0e147c31da710bb
-
C:\Users\Admin\paaok.exeFilesize
224KB
MD559c834e5ad41a09569ee833e2121f4c9
SHA1bf29f7b8696601e5fb541147da9af9ca94d5e42c
SHA2563a2028bbd5b0c9548d412ebed8d1dd9acb8b30eeb0eb8cdfff0ee05aacb5d639
SHA5125a7976f857861d1aacf23a6f7a1e26366c4cb601cac47c19e3d1530536d341a9564c3f96ac8ea038c24119b793a575e43327ea5cc3d5a22de0e147c31da710bb
-
memory/2148-132-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2148-141-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4744-135-0x0000000000000000-mapping.dmp
-
memory/4744-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4744-142-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB