Analysis
-
max time kernel
192s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe
-
Size
160KB
-
MD5
c7f2e3dbbdfdafaefdec10ee7918adc4
-
SHA1
f40adfc23f33a5c0438c40dedd497593cd97fe81
-
SHA256
f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52
-
SHA512
421bff698e845972b24035871f8379171ae50b537832e48885e5a7ae670a866ab852fc0739821abe863fdba5044b352e5104e6c224a6c1ee65912824d9151643
-
SSDEEP
3072:/WpHp2c5Y2Xcz5LSnlq11T+iOf1kp5K3C4oQZiEoV:/I2cO2XclLSnPiOfamuWo
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tauiki.exe -
Executes dropped EXE 1 IoCs
pid Process 3512 tauiki.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /m" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /o" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /V" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /E" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /W" tauiki.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /E" f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /I" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /F" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /a" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /g" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /X" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /c" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /u" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /v" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /R" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /i" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /p" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /Q" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /t" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /O" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /Y" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /A" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /H" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /S" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /e" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /J" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /U" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /L" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /P" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /M" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /b" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /r" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /w" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /f" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /N" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /y" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /h" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /K" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /j" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /Z" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /z" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /B" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /q" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /s" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /T" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /n" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /x" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /G" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /k" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /C" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /D" tauiki.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /l" tauiki.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tauiki = "C:\\Users\\Admin\\tauiki.exe /d" tauiki.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe 3512 tauiki.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 3512 tauiki.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4536 wrote to memory of 3512 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 81 PID 4536 wrote to memory of 3512 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 81 PID 4536 wrote to memory of 3512 4536 f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe"C:\Users\Admin\AppData\Local\Temp\f5787a488d2a2f59b8bb6281f8acd655fa1a0ea04e7e8b32996cf8388e706a52.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\tauiki.exe"C:\Users\Admin\tauiki.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3512
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD516cee906a6117bfd23be00834f35e12a
SHA12fa661f8b0e0e7b495d9ae9c0a4e94da9e3c657d
SHA2561fb916895afa80f6a88777dbd122b24faa89353b6cf3054abac096c21d8ed636
SHA5122681640583baac9d9a77cdec48cff5753added97de9fcd24ca30eb67db53c5a36a186b3831b353aa2b33ed033f01c88770b8b3f09bf1521caf428baa70793760
-
Filesize
160KB
MD516cee906a6117bfd23be00834f35e12a
SHA12fa661f8b0e0e7b495d9ae9c0a4e94da9e3c657d
SHA2561fb916895afa80f6a88777dbd122b24faa89353b6cf3054abac096c21d8ed636
SHA5122681640583baac9d9a77cdec48cff5753added97de9fcd24ca30eb67db53c5a36a186b3831b353aa2b33ed033f01c88770b8b3f09bf1521caf428baa70793760