433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab

Analysis

max time kernel
229s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
Size

504KB
MD5

06423b915fdde4d9a7051480a337123b
SHA1

5ed71ff1c8432aab2e17887fd6eb9455b924dada
SHA256

433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab
SHA512

c3da80348d6a36a3255ff7ad24d0b840db8f34821558f4c983f5a924dd6ec2aa1ba4e54fc83659eba4698ba17f35e703a798d56eb21a88cb6a1d0b5e6b0fc447
SSDEEP

12288:6OwQmZiqb/i5t+V9iTCSvEMseLPcRnKb:6OdeIe9ih8Ms+PU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	y26f0s.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zoeofu.exe

Executes dropped EXE 6 IoCs

pid	Process
320	y26f0s.exe
680	zoeofu.exe
1208	apod.exe
1708	apod.exe
2036	dpod.exe
2044	epod.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-82-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1708-84-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1708-85-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1708-89-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1708-90-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1708-92-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Loads dropped DLL 14 IoCs

pid	Process
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
320	y26f0s.exe
320	y26f0s.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe
1080	WerFault.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	y26f0s.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /c"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /Q"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /L"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /R"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /G"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /I"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /i"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /b"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /B"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /M"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /z"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /P"	y26f0s.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /w"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /u"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /t"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /W"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /S"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /k"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /e"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /y"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /K"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /p"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /J"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /A"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /f"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /h"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /N"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /C"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /d"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /Y"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /v"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /x"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /Z"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /j"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /F"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /r"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /n"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /P"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /E"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /g"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /V"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /H"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /m"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /X"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /l"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /U"	zoeofu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoeofu = "C:\\Users\\Admin\\zoeofu.exe /s"	zoeofu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 1708	1208	apod.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	2044	WerFault.exe	37

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1556	tasklist.exe
1500	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
320	y26f0s.exe
320	y26f0s.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
680	zoeofu.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe
1708	apod.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	tasklist.exe
Token: SeDebugPrivilege	1500	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
320	y26f0s.exe
680	zoeofu.exe
1208	apod.exe
2036	dpod.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 320	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	28
PID 848 wrote to memory of 320	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	28
PID 848 wrote to memory of 320	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	28
PID 848 wrote to memory of 320	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	28
PID 320 wrote to memory of 680	320	y26f0s.exe	29
PID 320 wrote to memory of 680	320	y26f0s.exe	29
PID 320 wrote to memory of 680	320	y26f0s.exe	29
PID 320 wrote to memory of 680	320	y26f0s.exe	29
PID 320 wrote to memory of 296	320	y26f0s.exe	30
PID 320 wrote to memory of 296	320	y26f0s.exe	30
PID 320 wrote to memory of 296	320	y26f0s.exe	30
PID 320 wrote to memory of 296	320	y26f0s.exe	30
PID 296 wrote to memory of 1556	296	cmd.exe	32
PID 296 wrote to memory of 1556	296	cmd.exe	32
PID 296 wrote to memory of 1556	296	cmd.exe	32
PID 296 wrote to memory of 1556	296	cmd.exe	32
PID 848 wrote to memory of 1208	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	34
PID 848 wrote to memory of 1208	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	34
PID 848 wrote to memory of 1208	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	34
PID 848 wrote to memory of 1208	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	34
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 1208 wrote to memory of 1708	1208	apod.exe	35
PID 848 wrote to memory of 2036	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	36
PID 848 wrote to memory of 2036	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	36
PID 848 wrote to memory of 2036	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	36
PID 848 wrote to memory of 2036	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	36
PID 848 wrote to memory of 2044	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	37
PID 848 wrote to memory of 2044	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	37
PID 848 wrote to memory of 2044	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	37
PID 848 wrote to memory of 2044	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	37
PID 2044 wrote to memory of 1080	2044	epod.exe	38
PID 2044 wrote to memory of 1080	2044	epod.exe	38
PID 2044 wrote to memory of 1080	2044	epod.exe	38
PID 2044 wrote to memory of 1080	2044	epod.exe	38
PID 848 wrote to memory of 1440	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	39
PID 848 wrote to memory of 1440	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	39
PID 848 wrote to memory of 1440	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	39
PID 848 wrote to memory of 1440	848	433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe	39
PID 1440 wrote to memory of 1500	1440	cmd.exe	41
PID 1440 wrote to memory of 1500	1440	cmd.exe	41
PID 1440 wrote to memory of 1500	1440	cmd.exe	41
PID 1440 wrote to memory of 1500	1440	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
"C:\Users\Admin\AppData\Local\Temp\433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\y26f0s.exe
  C:\Users\Admin\y26f0s.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\zoeofu.exe
    "C:\Users\Admin\zoeofu.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del y26f0s.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:296
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1556
- C:\Users\Admin\apod.exe
  C:\Users\Admin\apod.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\apod.exe
    "C:\Users\Admin\apod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
- C:\Users\Admin\dpod.exe
  C:\Users\Admin\dpod.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\epod.exe
  C:\Users\Admin\epod.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 433526c997c9586097e1ac7ed3045f3debed6dcd72ad98fddef7e45f486402ab.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\apod.exe

Filesize
76KB

MD5
423c4a08989b956f40a58ac76d4b06ef

SHA1
e5f926bda675c1682a12df0033eacbcea1ed8b8c

SHA256
b2c621f8ca9704489c90a2fe87c7e5eb9ef247cef06a9b18708c8cd7a1b4e6c7

SHA512
b089470923a03f773749047688c9c315401da8590485f76d41589fcb3fbf045732e5f54e1297bdd6545575bb72c4cc4ba2d2ac2d7e64c4baab6a064f30a92b43

Download Submit
C:\Users\Admin\apod.exe

Filesize
76KB

MD5
423c4a08989b956f40a58ac76d4b06ef

SHA1
e5f926bda675c1682a12df0033eacbcea1ed8b8c

SHA256
b2c621f8ca9704489c90a2fe87c7e5eb9ef247cef06a9b18708c8cd7a1b4e6c7

SHA512
b089470923a03f773749047688c9c315401da8590485f76d41589fcb3fbf045732e5f54e1297bdd6545575bb72c4cc4ba2d2ac2d7e64c4baab6a064f30a92b43

Download Submit
C:\Users\Admin\apod.exe

Filesize
76KB

MD5
423c4a08989b956f40a58ac76d4b06ef

SHA1
e5f926bda675c1682a12df0033eacbcea1ed8b8c

SHA256
b2c621f8ca9704489c90a2fe87c7e5eb9ef247cef06a9b18708c8cd7a1b4e6c7

SHA512
b089470923a03f773749047688c9c315401da8590485f76d41589fcb3fbf045732e5f54e1297bdd6545575bb72c4cc4ba2d2ac2d7e64c4baab6a064f30a92b43

Download Submit
C:\Users\Admin\dpod.exe

Filesize
36KB

MD5
3f33e061a2ed4b19f8b837cc9798ba4b

SHA1
5e3a078de37dc896a657cb0a09f13394f5bd2715

SHA256
82b7ebb533cebb3bb671625ba65e41755ecad1c8e7b6ec7f9a8f4a549aac1a79

SHA512
2ef0c88aa69b8015db4773eaf5332a16464d6c502376c3edb88fa2c3b81aa135e42581f5384ecadd5964cf12abbc263af5841ba2322f8cb9d5f10e92fd0f52e5

Download Submit
C:\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
C:\Users\Admin\y26f0s.exe

Filesize
340KB

MD5
cd821a611d07ae0237546cd00fa6752f

SHA1
9cf66009462749c884320a43261af67e44688380

SHA256
977facc689d0653837ba70a93147f6fb512031d25c4e8991b93672d57289c01a

SHA512
f0a2328b2bd3f61593cbfc76cea146bcf7fa9eb69e192dd5cfbaaa40bab2632c3222af0ebf410567020c4a05748192a766d78f460ec90db96d04ac4a43bae719

Download Submit
C:\Users\Admin\y26f0s.exe

Filesize
340KB

MD5
cd821a611d07ae0237546cd00fa6752f

SHA1
9cf66009462749c884320a43261af67e44688380

SHA256
977facc689d0653837ba70a93147f6fb512031d25c4e8991b93672d57289c01a

SHA512
f0a2328b2bd3f61593cbfc76cea146bcf7fa9eb69e192dd5cfbaaa40bab2632c3222af0ebf410567020c4a05748192a766d78f460ec90db96d04ac4a43bae719

Download Submit
C:\Users\Admin\zoeofu.exe

Filesize
340KB

MD5
d249509509a7038c0769c83eadf7fb07

SHA1
81e4c0f533912e201b9759df39aab1637cfecc11

SHA256
c5566d459f99f384faae00968ef10a344eae4d651f2d8df2dd739ddbf89bdca9

SHA512
bd079c2c702c2d7550e3c44a41f81a8e0cfcaffbe8bde7587338574f8baaed69b23a67fd30e151d3f3cde761f2c36a93322b9a1ea1728b51cfe35d8bca93a2d2

Download Submit
C:\Users\Admin\zoeofu.exe

Filesize
340KB

MD5
d249509509a7038c0769c83eadf7fb07

SHA1
81e4c0f533912e201b9759df39aab1637cfecc11

SHA256
c5566d459f99f384faae00968ef10a344eae4d651f2d8df2dd739ddbf89bdca9

SHA512
bd079c2c702c2d7550e3c44a41f81a8e0cfcaffbe8bde7587338574f8baaed69b23a67fd30e151d3f3cde761f2c36a93322b9a1ea1728b51cfe35d8bca93a2d2

Download Submit
\Users\Admin\apod.exe

Filesize
76KB

MD5
423c4a08989b956f40a58ac76d4b06ef

SHA1
e5f926bda675c1682a12df0033eacbcea1ed8b8c

SHA256
b2c621f8ca9704489c90a2fe87c7e5eb9ef247cef06a9b18708c8cd7a1b4e6c7

SHA512
b089470923a03f773749047688c9c315401da8590485f76d41589fcb3fbf045732e5f54e1297bdd6545575bb72c4cc4ba2d2ac2d7e64c4baab6a064f30a92b43

Download Submit
\Users\Admin\apod.exe

Filesize
76KB

MD5
423c4a08989b956f40a58ac76d4b06ef

SHA1
e5f926bda675c1682a12df0033eacbcea1ed8b8c

SHA256
b2c621f8ca9704489c90a2fe87c7e5eb9ef247cef06a9b18708c8cd7a1b4e6c7

SHA512
b089470923a03f773749047688c9c315401da8590485f76d41589fcb3fbf045732e5f54e1297bdd6545575bb72c4cc4ba2d2ac2d7e64c4baab6a064f30a92b43

Download Submit
\Users\Admin\dpod.exe

Filesize
36KB

MD5
3f33e061a2ed4b19f8b837cc9798ba4b

SHA1
5e3a078de37dc896a657cb0a09f13394f5bd2715

SHA256
82b7ebb533cebb3bb671625ba65e41755ecad1c8e7b6ec7f9a8f4a549aac1a79

SHA512
2ef0c88aa69b8015db4773eaf5332a16464d6c502376c3edb88fa2c3b81aa135e42581f5384ecadd5964cf12abbc263af5841ba2322f8cb9d5f10e92fd0f52e5

Download Submit
\Users\Admin\dpod.exe

Filesize
36KB

MD5
3f33e061a2ed4b19f8b837cc9798ba4b

SHA1
5e3a078de37dc896a657cb0a09f13394f5bd2715

SHA256
82b7ebb533cebb3bb671625ba65e41755ecad1c8e7b6ec7f9a8f4a549aac1a79

SHA512
2ef0c88aa69b8015db4773eaf5332a16464d6c502376c3edb88fa2c3b81aa135e42581f5384ecadd5964cf12abbc263af5841ba2322f8cb9d5f10e92fd0f52e5

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\epod.exe

Filesize
6.5MB

MD5
25eaa351f3abf04b024b9572962b6d49

SHA1
354cc72abf1f2982e40c193dd84edeec35cb2c76

SHA256
c84bd5eb25250d53aa86829dc9b814fcec36ecc00babfcdd0febcc12726e0c58

SHA512
631c9f0560ed703b60f31ec4a31aab78639e5d62cb764ba10de4baf65d1f50821159aacc941f210690e31622b598a2bfad8444cfaff0e96aa97d7d632271565e

Download Submit
\Users\Admin\y26f0s.exe

Filesize
340KB

MD5
cd821a611d07ae0237546cd00fa6752f

SHA1
9cf66009462749c884320a43261af67e44688380

SHA256
977facc689d0653837ba70a93147f6fb512031d25c4e8991b93672d57289c01a

SHA512
f0a2328b2bd3f61593cbfc76cea146bcf7fa9eb69e192dd5cfbaaa40bab2632c3222af0ebf410567020c4a05748192a766d78f460ec90db96d04ac4a43bae719

Download Submit
\Users\Admin\y26f0s.exe

Filesize
340KB

MD5
cd821a611d07ae0237546cd00fa6752f

SHA1
9cf66009462749c884320a43261af67e44688380

SHA256
977facc689d0653837ba70a93147f6fb512031d25c4e8991b93672d57289c01a

SHA512
f0a2328b2bd3f61593cbfc76cea146bcf7fa9eb69e192dd5cfbaaa40bab2632c3222af0ebf410567020c4a05748192a766d78f460ec90db96d04ac4a43bae719

Download Submit
\Users\Admin\zoeofu.exe

Filesize
340KB

MD5
d249509509a7038c0769c83eadf7fb07

SHA1
81e4c0f533912e201b9759df39aab1637cfecc11

SHA256
c5566d459f99f384faae00968ef10a344eae4d651f2d8df2dd739ddbf89bdca9

SHA512
bd079c2c702c2d7550e3c44a41f81a8e0cfcaffbe8bde7587338574f8baaed69b23a67fd30e151d3f3cde761f2c36a93322b9a1ea1728b51cfe35d8bca93a2d2

Download Submit
\Users\Admin\zoeofu.exe

Filesize
340KB

MD5
d249509509a7038c0769c83eadf7fb07

SHA1
81e4c0f533912e201b9759df39aab1637cfecc11

SHA256
c5566d459f99f384faae00968ef10a344eae4d651f2d8df2dd739ddbf89bdca9

SHA512
bd079c2c702c2d7550e3c44a41f81a8e0cfcaffbe8bde7587338574f8baaed69b23a67fd30e151d3f3cde761f2c36a93322b9a1ea1728b51cfe35d8bca93a2d2

Download Submit
memory/848-109-0x00000000028B0000-0x000000000336A000-memory.dmp

Filesize
10.7MB

Download
memory/848-56-0x0000000074FA1000-0x0000000074FA3000-memory.dmp

Filesize
8KB

Download
memory/1708-90-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-92-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-89-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-85-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-84-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1708-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download