f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14

General

Target

f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
Size

44KB
MD5

260a26a815aaddabce59cb132c9211e0
SHA1

33a8b938d75c2219171864588effb777a046c0e9
SHA256

f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14
SHA512

17d8c5399e7139e77328d60a5e59bcbe926a728a3d1d405097db821df251905d03be8ee3d506415f471a4378928851a599b24878c50f3dcdaf15457cdeede194
SSDEEP

768:bh/Hd29JLlNAXe04H7cHPHYmug6UXQm1dIZE2ocOT77e:bEhNpHyj6S3T77

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

cuecuf.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cuecuf.exe

Executes dropped EXE 1 IoCs

Processes:

cuecuf.exe

pid process

1656 cuecuf.exe

Loads dropped DLL 2 IoCs

Processes:

f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe

pid	process
2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cuecuf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	cuecuf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\cuecuf = "C:\\Users\\Admin\\cuecuf.exe"	cuecuf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cuecuf.exe

pid	process
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe
1656	cuecuf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.execuecuf.exe

pid process

2040 f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
1656 cuecuf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.execuecuf.exe

description	pid	process	target process
PID 2040 wrote to memory of 1656	2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe	cuecuf.exe
PID 2040 wrote to memory of 1656	2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe	cuecuf.exe
PID 2040 wrote to memory of 1656	2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe	cuecuf.exe
PID 2040 wrote to memory of 1656	2040	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe	cuecuf.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
PID 1656 wrote to memory of 2040	1656	cuecuf.exe	f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe

C:\Users\Admin\AppData\Local\Temp\f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe
"C:\Users\Admin\AppData\Local\Temp\f997ee0a78766765e659290f9bd39aa1bb81bb95c86ddfde38c47517c5c39f14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\cuecuf.exe
"C:\Users\Admin\cuecuf.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cuecuf.exe

Filesize
44KB

MD5
fe7be1e318a04297e9e07339bcefb11d

SHA1
38f3633c857affd493e266bf402d8c9a7f7f2d76

SHA256
efd84446eeeaa3c4075a9444094efed828d67e90ddf0f1cab4bfecee5aaf33ad

SHA512
215b81e6eaada2d441e75a39c4ac546edf705f5050fd0158a8d13783ee683e151e4443e3aaad032b306c871953276dce31b50130f1a8d13ee1e7b20efbbef8a1

Download Submit
C:\Users\Admin\cuecuf.exe

Filesize
44KB

MD5
fe7be1e318a04297e9e07339bcefb11d

SHA1
38f3633c857affd493e266bf402d8c9a7f7f2d76

SHA256
efd84446eeeaa3c4075a9444094efed828d67e90ddf0f1cab4bfecee5aaf33ad

SHA512
215b81e6eaada2d441e75a39c4ac546edf705f5050fd0158a8d13783ee683e151e4443e3aaad032b306c871953276dce31b50130f1a8d13ee1e7b20efbbef8a1

Download Submit
\Users\Admin\cuecuf.exe

Filesize
44KB

MD5
fe7be1e318a04297e9e07339bcefb11d

SHA1
38f3633c857affd493e266bf402d8c9a7f7f2d76

SHA256
efd84446eeeaa3c4075a9444094efed828d67e90ddf0f1cab4bfecee5aaf33ad

SHA512
215b81e6eaada2d441e75a39c4ac546edf705f5050fd0158a8d13783ee683e151e4443e3aaad032b306c871953276dce31b50130f1a8d13ee1e7b20efbbef8a1

Download Submit
\Users\Admin\cuecuf.exe

Filesize
44KB

MD5
fe7be1e318a04297e9e07339bcefb11d

SHA1
38f3633c857affd493e266bf402d8c9a7f7f2d76

SHA256
efd84446eeeaa3c4075a9444094efed828d67e90ddf0f1cab4bfecee5aaf33ad

SHA512
215b81e6eaada2d441e75a39c4ac546edf705f5050fd0158a8d13783ee683e151e4443e3aaad032b306c871953276dce31b50130f1a8d13ee1e7b20efbbef8a1

Download Submit
memory/1656-59-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads