1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6

Analysis

max time kernel
257s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe
Size

77KB
MD5

6213740be9fa015db30a9d77b4f1b7b2
SHA1

6b40f23e7fd252a6771ba115dcf326aa1a308ce9
SHA256

1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6
SHA512

f86446b3239ded5c280454b9ac85c6c8cba57264dd0d1af7bb55e7e9e61cc40a77286ab3b7b9e375e71a29e1289be6deb2efa381dbe05984b6be042d25671aff
SSDEEP

1536:0666oTY15Bx8pEttgdO/mXpgWXOJgQmmogDcMH5fCVsJVafuegWXAi+oX9tWV0R3:f66oTY15Bx8pEttgdO/mXpgWXOJgQmmS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	boazaa.exe

Executes dropped EXE 1 IoCs

pid	Process
468	boazaa.exe

Loads dropped DLL 2 IoCs

pid	Process
520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe
520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\boazaa = "C:\\Users\\Admin\\boazaa.exe"	boazaa.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	boazaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe
468	boazaa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe
468	boazaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 468	520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe	28
PID 520 wrote to memory of 468	520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe	28
PID 520 wrote to memory of 468	520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe	28
PID 520 wrote to memory of 468	520	1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe	28
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14
PID 468 wrote to memory of 520	468	boazaa.exe	14

C:\Users\Admin\AppData\Local\Temp\1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe
"C:\Users\Admin\AppData\Local\Temp\1dfe14007da13cdc671c881dd884d1b3c62a88d01604f64142c84527ca58b2a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\boazaa.exe
  "C:\Users\Admin\boazaa.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\boazaa.exe

Filesize
77KB

MD5
a259a1a12eab831263e77049e849c9ee

SHA1
30beb8fe5adc25ed431b0da26ba45caf707df1b3

SHA256
17942d6adccc82bc116fe1151a58026015cd44c92cca8bb86131126b8f35ec5e

SHA512
82c82ab5bf93cefc048e9bc0cd60ffedab719b818d7ef043adf1074a43a1a563b3bbca5027aba9b9463205d19c5256af9f6973583e11eafc55eb5acdc99ced61

Download Submit
C:\Users\Admin\boazaa.exe

Filesize
77KB

MD5
a259a1a12eab831263e77049e849c9ee

SHA1
30beb8fe5adc25ed431b0da26ba45caf707df1b3

SHA256
17942d6adccc82bc116fe1151a58026015cd44c92cca8bb86131126b8f35ec5e

SHA512
82c82ab5bf93cefc048e9bc0cd60ffedab719b818d7ef043adf1074a43a1a563b3bbca5027aba9b9463205d19c5256af9f6973583e11eafc55eb5acdc99ced61

Download Submit
\Users\Admin\boazaa.exe

Filesize
77KB

MD5
a259a1a12eab831263e77049e849c9ee

SHA1
30beb8fe5adc25ed431b0da26ba45caf707df1b3

SHA256
17942d6adccc82bc116fe1151a58026015cd44c92cca8bb86131126b8f35ec5e

SHA512
82c82ab5bf93cefc048e9bc0cd60ffedab719b818d7ef043adf1074a43a1a563b3bbca5027aba9b9463205d19c5256af9f6973583e11eafc55eb5acdc99ced61

Download Submit
\Users\Admin\boazaa.exe

Filesize
77KB

MD5
a259a1a12eab831263e77049e849c9ee

SHA1
30beb8fe5adc25ed431b0da26ba45caf707df1b3

SHA256
17942d6adccc82bc116fe1151a58026015cd44c92cca8bb86131126b8f35ec5e

SHA512
82c82ab5bf93cefc048e9bc0cd60ffedab719b818d7ef043adf1074a43a1a563b3bbca5027aba9b9463205d19c5256af9f6973583e11eafc55eb5acdc99ced61

Download Submit
memory/520-56-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download