1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959

General

Target

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
Size

112KB
MD5

0c12db481a4bea637d6114e4c827d78f
SHA1

9ddfc714e1856c72a0f2316e8e24b04c8d73019b
SHA256

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959
SHA512

9f291181731876457f1d798fae8ed300176dae810d758e9de166d4dcfd9abb9cd34cf642864bfe724b414cc96574691c17994e6a3684e17858816709a0641f9a
SSDEEP

3072:7yxKG8MvlJlfkX9kXWqgkXAkXAkXAkXtkX8kXQkXhkXIkX/kXdkX+kXmkXJkXMkz:7yxKGnZkX9kXWqgkXAkXAkXAkXtkX8k1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

daejaah.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	daejaah.exe

Executes dropped EXE 1 IoCs

Processes:

daejaah.exe

pid process

524 daejaah.exe

Loads dropped DLL 2 IoCs

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

pid	process
1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

daejaah.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daejaah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\daejaah = "C:\\Users\\Admin\\daejaah.exe"	daejaah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

daejaah.exe

pid	process
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe
524	daejaah.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exedaejaah.exe

pid process

1216 1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
524 daejaah.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exedaejaah.exe

description	pid	process	target process
PID 1216 wrote to memory of 524	1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	daejaah.exe
PID 1216 wrote to memory of 524	1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	daejaah.exe
PID 1216 wrote to memory of 524	1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	daejaah.exe
PID 1216 wrote to memory of 524	1216	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	daejaah.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 524 wrote to memory of 1216	524	daejaah.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

C:\Users\Admin\AppData\Local\Temp\1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
"C:\Users\Admin\AppData\Local\Temp\1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\daejaah.exe
  "C:\Users\Admin\daejaah.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\daejaah.exe

Filesize
112KB

MD5
96ab144b07a823310783605c52b0345c

SHA1
6a1e40ea8fdf62ab1906caa0bee7ca9433082429

SHA256
46444050677dbb9de74103ca627227a03dc40a577d3447f7693ef6b95f079757

SHA512
83427ec4345657f2049b10294aad32aaf2ed74519d6f8a4c9d208b0630c883e1082e21aef5aca8872656ff981840b098fd2b1ba02225cdf6d2f5720f7b3deed3

Download Submit
C:\Users\Admin\daejaah.exe

Filesize
112KB

MD5
96ab144b07a823310783605c52b0345c

SHA1
6a1e40ea8fdf62ab1906caa0bee7ca9433082429

SHA256
46444050677dbb9de74103ca627227a03dc40a577d3447f7693ef6b95f079757

SHA512
83427ec4345657f2049b10294aad32aaf2ed74519d6f8a4c9d208b0630c883e1082e21aef5aca8872656ff981840b098fd2b1ba02225cdf6d2f5720f7b3deed3

Download Submit
\Users\Admin\daejaah.exe

Filesize
112KB

MD5
96ab144b07a823310783605c52b0345c

SHA1
6a1e40ea8fdf62ab1906caa0bee7ca9433082429

SHA256
46444050677dbb9de74103ca627227a03dc40a577d3447f7693ef6b95f079757

SHA512
83427ec4345657f2049b10294aad32aaf2ed74519d6f8a4c9d208b0630c883e1082e21aef5aca8872656ff981840b098fd2b1ba02225cdf6d2f5720f7b3deed3

Download Submit
\Users\Admin\daejaah.exe

Filesize
112KB

MD5
96ab144b07a823310783605c52b0345c

SHA1
6a1e40ea8fdf62ab1906caa0bee7ca9433082429

SHA256
46444050677dbb9de74103ca627227a03dc40a577d3447f7693ef6b95f079757

SHA512
83427ec4345657f2049b10294aad32aaf2ed74519d6f8a4c9d208b0630c883e1082e21aef5aca8872656ff981840b098fd2b1ba02225cdf6d2f5720f7b3deed3

Download Submit
memory/524-59-0x0000000000000000-mapping.dmp

Download
memory/1216-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads