1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959

General

Target

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
Size

112KB
MD5

0c12db481a4bea637d6114e4c827d78f
SHA1

9ddfc714e1856c72a0f2316e8e24b04c8d73019b
SHA256

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959
SHA512

9f291181731876457f1d798fae8ed300176dae810d758e9de166d4dcfd9abb9cd34cf642864bfe724b414cc96574691c17994e6a3684e17858816709a0641f9a
SSDEEP

3072:7yxKG8MvlJlfkX9kXWqgkXAkXAkXAkXtkX8kXQkXhkXIkX/kXdkX+kXmkXJkXMkz:7yxKGnZkX9kXWqgkXAkXAkXAkXtkX8k1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

deiol.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	deiol.exe

Executes dropped EXE 1 IoCs

Processes:

deiol.exe

pid process

2412 deiol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

deiol.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	deiol.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deiol = "C:\\Users\\Admin\\deiol.exe"	deiol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

deiol.exe

pid	process
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe
2412	deiol.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exedeiol.exe

pid process

4908 1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
2412 deiol.exe

pid	process
4908	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
2412	deiol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exedeiol.exe

description	pid	process	target process
PID 4908 wrote to memory of 2412	4908	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	deiol.exe
PID 4908 wrote to memory of 2412	4908	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	deiol.exe
PID 4908 wrote to memory of 2412	4908	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe	deiol.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
PID 2412 wrote to memory of 4908	2412	deiol.exe	1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe

C:\Users\Admin\AppData\Local\Temp\1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe
"C:\Users\Admin\AppData\Local\Temp\1aad69ee54d5a147e840f06f395fd08fbb4b153abdffec61312b3fd65cbb5959.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\deiol.exe
"C:\Users\Admin\deiol.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\deiol.exe
Filesize
112KB

MD5
4065aaf6836eec415c2b4dd66c8de40b

SHA1
91fa7fe0992b3acd14b09e34a1255298a6c6f268

SHA256
4a8f9df785f32c2c532672fc8b413fe206dfd8efa602269eb474937195c29ce5

SHA512
ec484815aafa0eb04f7ba51040f826874c6145b1ff2070d6447975fe981de145234a53168abec6e4d4703a3e9c838e875cb1e7a022d65456c03e11ce76fb761a

Download Submit
C:\Users\Admin\deiol.exe
Filesize
112KB

MD5
4065aaf6836eec415c2b4dd66c8de40b

SHA1
91fa7fe0992b3acd14b09e34a1255298a6c6f268

SHA256
4a8f9df785f32c2c532672fc8b413fe206dfd8efa602269eb474937195c29ce5

SHA512
ec484815aafa0eb04f7ba51040f826874c6145b1ff2070d6447975fe981de145234a53168abec6e4d4703a3e9c838e875cb1e7a022d65456c03e11ce76fb761a

Download Submit
memory/2412-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads