46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075

General

Target

46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
Size

144KB
MD5

1fa62feb97769e1214baf12387924b66
SHA1

0429a06fda3ae107ba1c7b98a0c06d1767066c2d
SHA256

46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075
SHA512

f0629e99a0968732fdbc90cada822e1d3895acae6914a0be360846cb498b1085517a3af86b7181e98b52216fb1ba2a1e3bf4212a2f0ee8718e604f7dd9eee775
SSDEEP

768:aJ/HdK9TuB7CXe04H7cHPHYmug6UXQm1dIZE2ocOT77e:aOuBjHyj6S3T77

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

viuoru.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	viuoru.exe

Executes dropped EXE 1 IoCs

Processes:

viuoru.exe

pid process

3396 viuoru.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

viuoru.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\	viuoru.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viuoru = "C:\\Users\\Admin\\viuoru.exe"	viuoru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

viuoru.exe

pid	process
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe
3396	viuoru.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exeviuoru.exe

pid process

4876 46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
3396 viuoru.exe

pid	process
4876	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
3396	viuoru.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exeviuoru.exe

description	pid	process	target process
PID 4876 wrote to memory of 3396	4876	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe	viuoru.exe
PID 4876 wrote to memory of 3396	4876	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe	viuoru.exe
PID 4876 wrote to memory of 3396	4876	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe	viuoru.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
PID 3396 wrote to memory of 4876	3396	viuoru.exe	46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe

C:\Users\Admin\AppData\Local\Temp\46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe
"C:\Users\Admin\AppData\Local\Temp\46759c1a2d463f2aa1d7ba2bb5a8b21d54bbc8da083d0b4507d87e2a97528075.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\viuoru.exe
"C:\Users\Admin\viuoru.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\viuoru.exe

Filesize
144KB

MD5
a67f322872644edc7711cb9adaf7cbfb

SHA1
0a7a5b0e0425eb0ccffeeaefb40d6d50bd5c43e2

SHA256
50c50b980733fbe6dd1b406205c370527dba730c8fa2c22108d005190bea22d3

SHA512
68cdeaa977742d4ec7f310b6a6a8eb630bc2e6235a53c1e3218fa3639f4abf2468887ac0cd463b658c71c9e6616f01cd489e955be63d7ab7d8c8c5aac339dae1

Download Submit
C:\Users\Admin\viuoru.exe

Filesize
144KB

MD5
a67f322872644edc7711cb9adaf7cbfb

SHA1
0a7a5b0e0425eb0ccffeeaefb40d6d50bd5c43e2

SHA256
50c50b980733fbe6dd1b406205c370527dba730c8fa2c22108d005190bea22d3

SHA512
68cdeaa977742d4ec7f310b6a6a8eb630bc2e6235a53c1e3218fa3639f4abf2468887ac0cd463b658c71c9e6616f01cd489e955be63d7ab7d8c8c5aac339dae1

Download Submit
memory/3396-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads