7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081

Analysis

max time kernel
192s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
Size

124KB
MD5

079bf5e3519078072252d2b5f7d4c5f0
SHA1

7b34b6d662118ac9e7502b22e1e9c4df8b9dfa96
SHA256

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081
SHA512

adce0f3f3a66a0c53acc36ebf28feb20509373c485aeafedba8ce95cbafd818add3caf59d9ff67e9afd89a807a983958c3ef5677b8c1c2eef98c541460701b7c
SSDEEP

1536:mOszW5YNmVJhRO/N69BH3OoGa+FLHjKceRgrkOSoINeGUmE:rG0YYLhkFoN3Oo1+FvfSW

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 14 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

wodan.exedaimeir.exeboobua.exessdaq.exebeiituc.exe7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exevaieroh.exeqylaaf.exergjal.exezbzim.exeyauhau.exexooju.exenaufoub.exefuugio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wodan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	daimeir.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	boobua.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ssdaq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	beiituc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vaieroh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qylaaf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rgjal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zbzim.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yauhau.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xooju.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	naufoub.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fuugio.exe

Executes dropped EXE 14 IoCs

Processes:

yauhau.exewodan.exedaimeir.exeboobua.exevaieroh.exessdaq.exexooju.exeqylaaf.exenaufoub.exebeiituc.exergjal.exezbzim.exefuugio.exemaawef.exe

pid	process
4660	yauhau.exe
932	wodan.exe
948	daimeir.exe
3476	boobua.exe
2076	vaieroh.exe
2648	ssdaq.exe
4956	xooju.exe
3580	qylaaf.exe
4548	naufoub.exe
1328	beiituc.exe
3612	rgjal.exe
456	zbzim.exe
3964	fuugio.exe
4876	maawef.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exessdaq.exebeiituc.exeyauhau.exeboobua.exexooju.exefuugio.exedaimeir.exergjal.exezbzim.exewodan.exevaieroh.exeqylaaf.exenaufoub.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	ssdaq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	beiituc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	yauhau.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	boobua.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	xooju.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	fuugio.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	daimeir.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	rgjal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	zbzim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	wodan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	vaieroh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	qylaaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	naufoub.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yauhau.exewodan.exedaimeir.exebeiituc.exefuugio.exe7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exessdaq.exexooju.exenaufoub.exergjal.exevaieroh.exeqylaaf.exeboobua.exezbzim.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yauhau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daimeir = "C:\\Users\\Admin\\daimeir.exe /M"	wodan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boobua = "C:\\Users\\Admin\\boobua.exe /U"	daimeir.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	beiituc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rgjal = "C:\\Users\\Admin\\rgjal.exe /L"	beiituc.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	fuugio.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xooju = "C:\\Users\\Admin\\xooju.exe /H"	ssdaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylaaf = "C:\\Users\\Admin\\qylaaf.exe /d"	xooju.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wodan = "C:\\Users\\Admin\\wodan.exe /k"	yauhau.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	naufoub.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rgjal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zbzim = "C:\\Users\\Admin\\zbzim.exe /h"	rgjal.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daimeir.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	wodan.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vaieroh.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qylaaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yauhau = "C:\\Users\\Admin\\yauhau.exe /Q"	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\maawef = "C:\\Users\\Admin\\maawef.exe /t"	fuugio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssdaq = "C:\\Users\\Admin\\ssdaq.exe /K"	vaieroh.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ssdaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaieroh = "C:\\Users\\Admin\\vaieroh.exe /w"	boobua.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xooju.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naufoub = "C:\\Users\\Admin\\naufoub.exe /r"	qylaaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beiituc = "C:\\Users\\Admin\\beiituc.exe /L"	naufoub.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zbzim.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuugio = "C:\\Users\\Admin\\fuugio.exe /l"	zbzim.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	boobua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exeyauhau.exewodan.exedaimeir.exeboobua.exevaieroh.exessdaq.exexooju.exeqylaaf.exenaufoub.exebeiituc.exergjal.exezbzim.exefuugio.exe

pid	process
1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
4660	yauhau.exe
4660	yauhau.exe
932	wodan.exe
932	wodan.exe
948	daimeir.exe
948	daimeir.exe
3476	boobua.exe
3476	boobua.exe
2076	vaieroh.exe
2076	vaieroh.exe
2648	ssdaq.exe
2648	ssdaq.exe
4956	xooju.exe
4956	xooju.exe
3580	qylaaf.exe
3580	qylaaf.exe
4548	naufoub.exe
4548	naufoub.exe
1328	beiituc.exe
1328	beiituc.exe
3612	rgjal.exe
3612	rgjal.exe
456	zbzim.exe
456	zbzim.exe
3964	fuugio.exe
3964	fuugio.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exeyauhau.exewodan.exedaimeir.exeboobua.exevaieroh.exessdaq.exexooju.exeqylaaf.exenaufoub.exebeiituc.exergjal.exezbzim.exefuugio.exemaawef.exe

pid	process
1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
4660	yauhau.exe
932	wodan.exe
948	daimeir.exe
3476	boobua.exe
2076	vaieroh.exe
2648	ssdaq.exe
4956	xooju.exe
3580	qylaaf.exe
4548	naufoub.exe
1328	beiituc.exe
3612	rgjal.exe
456	zbzim.exe
3964	fuugio.exe
4876	maawef.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exeyauhau.exewodan.exedaimeir.exeboobua.exevaieroh.exessdaq.exexooju.exeqylaaf.exenaufoub.exebeiituc.exergjal.exezbzim.exefuugio.exe

description	pid	process	target process
PID 1584 wrote to memory of 4660	1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe	yauhau.exe
PID 1584 wrote to memory of 4660	1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe	yauhau.exe
PID 1584 wrote to memory of 4660	1584	7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe	yauhau.exe
PID 4660 wrote to memory of 932	4660	yauhau.exe	wodan.exe
PID 4660 wrote to memory of 932	4660	yauhau.exe	wodan.exe
PID 4660 wrote to memory of 932	4660	yauhau.exe	wodan.exe
PID 932 wrote to memory of 948	932	wodan.exe	daimeir.exe
PID 932 wrote to memory of 948	932	wodan.exe	daimeir.exe
PID 932 wrote to memory of 948	932	wodan.exe	daimeir.exe
PID 948 wrote to memory of 3476	948	daimeir.exe	boobua.exe
PID 948 wrote to memory of 3476	948	daimeir.exe	boobua.exe
PID 948 wrote to memory of 3476	948	daimeir.exe	boobua.exe
PID 3476 wrote to memory of 2076	3476	boobua.exe	vaieroh.exe
PID 3476 wrote to memory of 2076	3476	boobua.exe	vaieroh.exe
PID 3476 wrote to memory of 2076	3476	boobua.exe	vaieroh.exe
PID 2076 wrote to memory of 2648	2076	vaieroh.exe	ssdaq.exe
PID 2076 wrote to memory of 2648	2076	vaieroh.exe	ssdaq.exe
PID 2076 wrote to memory of 2648	2076	vaieroh.exe	ssdaq.exe
PID 2648 wrote to memory of 4956	2648	ssdaq.exe	xooju.exe
PID 2648 wrote to memory of 4956	2648	ssdaq.exe	xooju.exe
PID 2648 wrote to memory of 4956	2648	ssdaq.exe	xooju.exe
PID 4956 wrote to memory of 3580	4956	xooju.exe	qylaaf.exe
PID 4956 wrote to memory of 3580	4956	xooju.exe	qylaaf.exe
PID 4956 wrote to memory of 3580	4956	xooju.exe	qylaaf.exe
PID 3580 wrote to memory of 4548	3580	qylaaf.exe	naufoub.exe
PID 3580 wrote to memory of 4548	3580	qylaaf.exe	naufoub.exe
PID 3580 wrote to memory of 4548	3580	qylaaf.exe	naufoub.exe
PID 4548 wrote to memory of 1328	4548	naufoub.exe	beiituc.exe
PID 4548 wrote to memory of 1328	4548	naufoub.exe	beiituc.exe
PID 4548 wrote to memory of 1328	4548	naufoub.exe	beiituc.exe
PID 1328 wrote to memory of 3612	1328	beiituc.exe	rgjal.exe
PID 1328 wrote to memory of 3612	1328	beiituc.exe	rgjal.exe
PID 1328 wrote to memory of 3612	1328	beiituc.exe	rgjal.exe
PID 3612 wrote to memory of 456	3612	rgjal.exe	zbzim.exe
PID 3612 wrote to memory of 456	3612	rgjal.exe	zbzim.exe
PID 3612 wrote to memory of 456	3612	rgjal.exe	zbzim.exe
PID 456 wrote to memory of 3964	456	zbzim.exe	fuugio.exe
PID 456 wrote to memory of 3964	456	zbzim.exe	fuugio.exe
PID 456 wrote to memory of 3964	456	zbzim.exe	fuugio.exe
PID 3964 wrote to memory of 4876	3964	fuugio.exe	maawef.exe
PID 3964 wrote to memory of 4876	3964	fuugio.exe	maawef.exe
PID 3964 wrote to memory of 4876	3964	fuugio.exe	maawef.exe

C:\Users\Admin\AppData\Local\Temp\7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe
"C:\Users\Admin\AppData\Local\Temp\7fd06278cebd5fefae6d2ad50404f6fa1ed821d27eb1bb5f4f8cce5dfd335081.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\yauhau.exe
"C:\Users\Admin\yauhau.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\wodan.exe
"C:\Users\Admin\wodan.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\daimeir.exe
"C:\Users\Admin\daimeir.exe"
4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\boobua.exe
"C:\Users\Admin\boobua.exe"
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\vaieroh.exe
"C:\Users\Admin\vaieroh.exe"
6⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\ssdaq.exe
"C:\Users\Admin\ssdaq.exe"
7⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\xooju.exe
"C:\Users\Admin\xooju.exe"
8⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956

C:\Users\Admin\qylaaf.exe
"C:\Users\Admin\qylaaf.exe"
9⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\naufoub.exe
"C:\Users\Admin\naufoub.exe"
10⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\beiituc.exe
"C:\Users\Admin\beiituc.exe"
11⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\rgjal.exe
"C:\Users\Admin\rgjal.exe"
12⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\zbzim.exe
"C:\Users\Admin\zbzim.exe"
13⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456

C:\Users\Admin\fuugio.exe
"C:\Users\Admin\fuugio.exe"
14⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\maawef.exe
"C:\Users\Admin\maawef.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\beiituc.exe

Filesize
124KB

MD5
bc7bd2752f9c63aa0150858c7fcb58e3

SHA1
810f77c65cadabbc27683eb4a6062fd1b5437e7d

SHA256
661eef9dcaed798d9120852174dbebb0deaf55d0cc9c22c6d6d284bf71a68506

SHA512
89c014d6839857a23c0409d377e0e552fe37ff4796e8dfb893339331483f6d3701a7c90d0333196d0d234501efd83a35cecc613fef26324c16bdff954949dcf8

Download Submit
C:\Users\Admin\beiituc.exe

Filesize
124KB

MD5
bc7bd2752f9c63aa0150858c7fcb58e3

SHA1
810f77c65cadabbc27683eb4a6062fd1b5437e7d

SHA256
661eef9dcaed798d9120852174dbebb0deaf55d0cc9c22c6d6d284bf71a68506

SHA512
89c014d6839857a23c0409d377e0e552fe37ff4796e8dfb893339331483f6d3701a7c90d0333196d0d234501efd83a35cecc613fef26324c16bdff954949dcf8

Download Submit
C:\Users\Admin\boobua.exe

Filesize
124KB

MD5
ba1215f8fecfb0fbe4180d7084322530

SHA1
a7ebb419a96e38e2776b3013fc30357c656e1cbb

SHA256
298dac42ada1c4a050b8ce940d098b72bf1ef7833fb36c9d221085bcf24a1806

SHA512
d2ef99651081bbaa7c7b63906f6be98633476435266ae0bff5367db012b372c3c49a20d35d46e12ee3bd6affb8539c074dfdddca45b08a003697dc859b9101e0

Download Submit
C:\Users\Admin\boobua.exe

Filesize
124KB

MD5
ba1215f8fecfb0fbe4180d7084322530

SHA1
a7ebb419a96e38e2776b3013fc30357c656e1cbb

SHA256
298dac42ada1c4a050b8ce940d098b72bf1ef7833fb36c9d221085bcf24a1806

SHA512
d2ef99651081bbaa7c7b63906f6be98633476435266ae0bff5367db012b372c3c49a20d35d46e12ee3bd6affb8539c074dfdddca45b08a003697dc859b9101e0

Download Submit
C:\Users\Admin\daimeir.exe

Filesize
124KB

MD5
064729f0302549aa26b435dddac692f9

SHA1
8156377709c3a9fb7cfd6696d6b98c019cf40e97

SHA256
4e4d9eb14fb551d0fa6c53c2414c9acf8c0d238b3d8ce115d716d74f3d31bb01

SHA512
65c6475e9d394c047f9681dd6dff256d77256ed724137f6f80bca4cd8b8f374165dd6e49787c02308a92bffdbfc492288dc657db58d4d05b61a4dd4b2c347353

Download Submit
C:\Users\Admin\daimeir.exe

Filesize
124KB

MD5
064729f0302549aa26b435dddac692f9

SHA1
8156377709c3a9fb7cfd6696d6b98c019cf40e97

SHA256
4e4d9eb14fb551d0fa6c53c2414c9acf8c0d238b3d8ce115d716d74f3d31bb01

SHA512
65c6475e9d394c047f9681dd6dff256d77256ed724137f6f80bca4cd8b8f374165dd6e49787c02308a92bffdbfc492288dc657db58d4d05b61a4dd4b2c347353

Download Submit
C:\Users\Admin\fuugio.exe

Filesize
124KB

MD5
49cf8d23a605b2f55df96c1c5b79c43b

SHA1
3de7c366ec9d2ffbd126437ef07f7eb28a7b98d9

SHA256
2c7594315d5c56898e2983e884a28bc716ced8ee583e03b966f0327333b43654

SHA512
b92456e50b7a402bd01197b801acbe0c1d3de6779a9cd9146fecc040d0f654a7b059252340d897d22be8d286286815d4da33b5ee0cc275876b7cfdc8475410cf

Download Submit
C:\Users\Admin\fuugio.exe

Filesize
124KB

MD5
49cf8d23a605b2f55df96c1c5b79c43b

SHA1
3de7c366ec9d2ffbd126437ef07f7eb28a7b98d9

SHA256
2c7594315d5c56898e2983e884a28bc716ced8ee583e03b966f0327333b43654

SHA512
b92456e50b7a402bd01197b801acbe0c1d3de6779a9cd9146fecc040d0f654a7b059252340d897d22be8d286286815d4da33b5ee0cc275876b7cfdc8475410cf

Download Submit
C:\Users\Admin\maawef.exe

Filesize
124KB

MD5
f38b839fb1eda407a4acdee26876bfb0

SHA1
4c0295dd2b6148daa0cab84e3003823075e9173f

SHA256
bdadb62262fb3d3366369b8a0ebfd1c5fe37a684592566e39569a2dc8a056179

SHA512
8c7bbf42bcc24c797184d230bb38fb7d81a4e11965238276d02d524bda76d0422f722c7f8380eb6a2a6cf41aaaf780adcae6b88d41bef226243cac2a82468936

Download Submit
C:\Users\Admin\maawef.exe

Filesize
124KB

MD5
f38b839fb1eda407a4acdee26876bfb0

SHA1
4c0295dd2b6148daa0cab84e3003823075e9173f

SHA256
bdadb62262fb3d3366369b8a0ebfd1c5fe37a684592566e39569a2dc8a056179

SHA512
8c7bbf42bcc24c797184d230bb38fb7d81a4e11965238276d02d524bda76d0422f722c7f8380eb6a2a6cf41aaaf780adcae6b88d41bef226243cac2a82468936

Download Submit
C:\Users\Admin\naufoub.exe

Filesize
124KB

MD5
5e0aca704f573548344191bfb80d2e21

SHA1
fb13e2aa6726f8705fbb72f5fec0b9e2114be9c7

SHA256
851ebe84636a56578501d9f2c49453d42f6f0d111cd26fb4a888f323bfb5d3d8

SHA512
c389b78575e0a7f1d0700a3f985cb10d0d75ddf0c0cc103eedad8fc571a4646d3e22722b5461721d5cbfc77ca8a5234fd756d445f6cef8a6ab11075d3da1fdb2

Download Submit
C:\Users\Admin\naufoub.exe

Filesize
124KB

MD5
5e0aca704f573548344191bfb80d2e21

SHA1
fb13e2aa6726f8705fbb72f5fec0b9e2114be9c7

SHA256
851ebe84636a56578501d9f2c49453d42f6f0d111cd26fb4a888f323bfb5d3d8

SHA512
c389b78575e0a7f1d0700a3f985cb10d0d75ddf0c0cc103eedad8fc571a4646d3e22722b5461721d5cbfc77ca8a5234fd756d445f6cef8a6ab11075d3da1fdb2

Download Submit
C:\Users\Admin\qylaaf.exe

Filesize
124KB

MD5
11346250da7ac3cb597a024af9f534f6

SHA1
ce8c2a0f68060bdf960db82ec0183ba1cf0f60f5

SHA256
cff8c7d6329955c8c087d029342f44f6a33a890f8e6c689d24ae200e69f7d7cf

SHA512
61fe9955a5a17d2fa35a3da31395b6a5f3286f1ed5f5a5953927f7782ae3fbd138622cb0343e1325092b6b795ee77bb116c1e12d023f79d13a0a7ef8ad82552f

Download Submit
C:\Users\Admin\qylaaf.exe

Filesize
124KB

MD5
11346250da7ac3cb597a024af9f534f6

SHA1
ce8c2a0f68060bdf960db82ec0183ba1cf0f60f5

SHA256
cff8c7d6329955c8c087d029342f44f6a33a890f8e6c689d24ae200e69f7d7cf

SHA512
61fe9955a5a17d2fa35a3da31395b6a5f3286f1ed5f5a5953927f7782ae3fbd138622cb0343e1325092b6b795ee77bb116c1e12d023f79d13a0a7ef8ad82552f

Download Submit
C:\Users\Admin\rgjal.exe

Filesize
124KB

MD5
59554265b0a63f6b4974e170111782b0

SHA1
89d904f64db0e003093c5d942ee75d3599d6dfff

SHA256
ab1ce38f9212dbc9f67894f640c6f4adf4b9a99515b25c1f607c4fede0d8ce03

SHA512
8410f07cecf343783dab340ce0b0ef5fb6dc5862e8da0523cdacf96b025e5d80eb2639b479e50627359e781d3660bb502907790afc9239222142405fb1639a19

Download Submit
C:\Users\Admin\rgjal.exe

Filesize
124KB

MD5
59554265b0a63f6b4974e170111782b0

SHA1
89d904f64db0e003093c5d942ee75d3599d6dfff

SHA256
ab1ce38f9212dbc9f67894f640c6f4adf4b9a99515b25c1f607c4fede0d8ce03

SHA512
8410f07cecf343783dab340ce0b0ef5fb6dc5862e8da0523cdacf96b025e5d80eb2639b479e50627359e781d3660bb502907790afc9239222142405fb1639a19

Download Submit
C:\Users\Admin\ssdaq.exe

Filesize
124KB

MD5
a600e7286c1fdc1857d1c13443c21b8d

SHA1
b8d8381d145703f9319528109030911fc6abcb44

SHA256
ce81f8739019d24e3be861360b5d836f759b08b279c5d9f2c5c9915cbb7ee6c4

SHA512
d488f9af5fc7f6bd387fd019e57cb0caff3a25a91ee2ef540f1462e59af5ef8268da41c85f1325ff00576331e81da35d8b46e7dbf65ec1aeaa5215a6a113a359

Download Submit
C:\Users\Admin\ssdaq.exe

Filesize
124KB

MD5
a600e7286c1fdc1857d1c13443c21b8d

SHA1
b8d8381d145703f9319528109030911fc6abcb44

SHA256
ce81f8739019d24e3be861360b5d836f759b08b279c5d9f2c5c9915cbb7ee6c4

SHA512
d488f9af5fc7f6bd387fd019e57cb0caff3a25a91ee2ef540f1462e59af5ef8268da41c85f1325ff00576331e81da35d8b46e7dbf65ec1aeaa5215a6a113a359

Download Submit
C:\Users\Admin\vaieroh.exe

Filesize
124KB

MD5
3828cb086930733095655c820d54f41b

SHA1
52138e860c7bb9041bba025359fddff3274ae164

SHA256
eff44f7f00c0d01fad7ff9d09df249ca74c57cad2076185c05064fe429a61f8a

SHA512
2843164f0cd7177aa618d9a8fadd69bf4909fdce78fa76bbc9e25cc124fca37acd978f43e3d703c171331a951d43b7dd89a964642aec44bddad022174329d3ca

Download Submit
C:\Users\Admin\vaieroh.exe

Filesize
124KB

MD5
3828cb086930733095655c820d54f41b

SHA1
52138e860c7bb9041bba025359fddff3274ae164

SHA256
eff44f7f00c0d01fad7ff9d09df249ca74c57cad2076185c05064fe429a61f8a

SHA512
2843164f0cd7177aa618d9a8fadd69bf4909fdce78fa76bbc9e25cc124fca37acd978f43e3d703c171331a951d43b7dd89a964642aec44bddad022174329d3ca

Download Submit
C:\Users\Admin\wodan.exe

Filesize
124KB

MD5
95067788ac7efa9649a20899ade2ba9a

SHA1
c0ced5f98cedfa944719637327bdb6e6021f0cdf

SHA256
6560a2acd88cf04fe7d684c61b655a310d056d951ff2eac0e447e014a7b6c989

SHA512
dbf67a32be1bf4aa076c76d2744ca6aaca9b2fdd003a0921755f33d1a4fbbfdfe058b26005b69ab5986a527c4225640d8654b861b7e7592d5fb7a04438a61e79

Download Submit
C:\Users\Admin\wodan.exe

Filesize
124KB

MD5
95067788ac7efa9649a20899ade2ba9a

SHA1
c0ced5f98cedfa944719637327bdb6e6021f0cdf

SHA256
6560a2acd88cf04fe7d684c61b655a310d056d951ff2eac0e447e014a7b6c989

SHA512
dbf67a32be1bf4aa076c76d2744ca6aaca9b2fdd003a0921755f33d1a4fbbfdfe058b26005b69ab5986a527c4225640d8654b861b7e7592d5fb7a04438a61e79

Download Submit
C:\Users\Admin\xooju.exe

Filesize
124KB

MD5
f8819d1ff72b7f0979ea778e3b08e096

SHA1
b6f217461449448f164ba1bc30a6a3815fa2c5e7

SHA256
67b322da80b46bc816c2f060877dfd47a8722f6cce077ba80888a6047bdb6848

SHA512
9aa8fa0c00a04600500a7d0a71e6dc4388aad5ceba3d654a82b247154d9322ea1daf6028b2f57ef66e305a9e016f7a33ec33729a44fa65370a2a213689ec7699

Download Submit
C:\Users\Admin\xooju.exe

Filesize
124KB

MD5
f8819d1ff72b7f0979ea778e3b08e096

SHA1
b6f217461449448f164ba1bc30a6a3815fa2c5e7

SHA256
67b322da80b46bc816c2f060877dfd47a8722f6cce077ba80888a6047bdb6848

SHA512
9aa8fa0c00a04600500a7d0a71e6dc4388aad5ceba3d654a82b247154d9322ea1daf6028b2f57ef66e305a9e016f7a33ec33729a44fa65370a2a213689ec7699

Download Submit
C:\Users\Admin\yauhau.exe

Filesize
124KB

MD5
87c62aca8dde3e90063a8b47a1b9b156

SHA1
523a3f1d202997a90b605cd86d98a50beaa3214a

SHA256
2ad18e4ae6cfaba9f8add6ab0812b21b10bd2d7c98fdd1459057d5070af0f972

SHA512
cb5797e1c4cbd752be753305e295cf32386df1bd538fbe91806f4f88af14c3184c5b4ab66d2604b7049e718f1ce5184e4abf74eabc0aad1195c2eb5e8bc5b0c4

Download Submit
C:\Users\Admin\yauhau.exe

Filesize
124KB

MD5
87c62aca8dde3e90063a8b47a1b9b156

SHA1
523a3f1d202997a90b605cd86d98a50beaa3214a

SHA256
2ad18e4ae6cfaba9f8add6ab0812b21b10bd2d7c98fdd1459057d5070af0f972

SHA512
cb5797e1c4cbd752be753305e295cf32386df1bd538fbe91806f4f88af14c3184c5b4ab66d2604b7049e718f1ce5184e4abf74eabc0aad1195c2eb5e8bc5b0c4

Download Submit
C:\Users\Admin\zbzim.exe

Filesize
124KB

MD5
0b80e6b3fefdd1601f01d3eb63c3d4fb

SHA1
9595b3c06e4890aabf36246f0f21eaf7328ba604

SHA256
71be7c529a5f985591cf3cd13b8688a2fb67e762b7780c0dbbcfbc1751f63ed1

SHA512
6d1c0a2f3e3c6d6cf0cf1e7632c5b79870f4324824995f98210ee777afb104e199027c1bd9c2b9502e8be3ad553c38d08268cf36a3cbd6f35e9ea359ca8747d4

Download Submit
C:\Users\Admin\zbzim.exe

Filesize
124KB

MD5
0b80e6b3fefdd1601f01d3eb63c3d4fb

SHA1
9595b3c06e4890aabf36246f0f21eaf7328ba604

SHA256
71be7c529a5f985591cf3cd13b8688a2fb67e762b7780c0dbbcfbc1751f63ed1

SHA512
6d1c0a2f3e3c6d6cf0cf1e7632c5b79870f4324824995f98210ee777afb104e199027c1bd9c2b9502e8be3ad553c38d08268cf36a3cbd6f35e9ea359ca8747d4

Download Submit
memory/456-189-0x0000000000000000-mapping.dmp

Download
memory/932-139-0x0000000000000000-mapping.dmp

Download
memory/948-144-0x0000000000000000-mapping.dmp

Download
memory/1328-179-0x0000000000000000-mapping.dmp

Download
memory/2076-154-0x0000000000000000-mapping.dmp

Download
memory/2648-159-0x0000000000000000-mapping.dmp

Download
memory/3476-149-0x0000000000000000-mapping.dmp

Download
memory/3580-169-0x0000000000000000-mapping.dmp

Download
memory/3612-184-0x0000000000000000-mapping.dmp

Download
memory/3964-194-0x0000000000000000-mapping.dmp

Download
memory/4548-174-0x0000000000000000-mapping.dmp

Download
memory/4660-134-0x0000000000000000-mapping.dmp

Download
memory/4876-199-0x0000000000000000-mapping.dmp

Download
memory/4956-164-0x0000000000000000-mapping.dmp

Download