26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Size

224KB
MD5

d6a2326d38e4339479ecf19dedf0b84b
SHA1

93ab9d67c04c34eefaceaed1e7770ccf3015e324
SHA256

26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9
SHA512

af4777dd80f70a795705bc56e9158647423b757831b49ea01b5b6dd22cb72ef6c4963f308ba29884ba1f3ad9e9d111f09e8305c08df51d9434cc895dca3324cb
SSDEEP

3072:Hk6kvZjWnE5bqaAF/OVLj4UbaxxmLQTi2//9U33T+NVzo:H1kBm7aAF4RFSs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	maaaduf.exe

Executes dropped EXE 1 IoCs

pid	Process
964	maaaduf.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /v"	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /u"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /g"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /d"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /w"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /o"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /q"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /z"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /c"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /j"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /l"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /a"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /n"	maaaduf.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /y"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /e"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /s"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /f"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /k"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /p"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /v"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /i"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /t"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /m"	maaaduf.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /r"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /b"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /x"	maaaduf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\maaaduf = "C:\\Users\\Admin\\maaaduf.exe /h"	maaaduf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe
964	maaaduf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
964	maaaduf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 964	2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	28
PID 2036 wrote to memory of 964	2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	28
PID 2036 wrote to memory of 964	2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	28
PID 2036 wrote to memory of 964	2036	26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe	28

C:\Users\Admin\AppData\Local\Temp\26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe
"C:\Users\Admin\AppData\Local\Temp\26c32f20a7343375402584263d469b2ad2d5d3a3920d09d63e85629d5579adf9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\maaaduf.exe
  "C:\Users\Admin\maaaduf.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\maaaduf.exe

Filesize
224KB

MD5
4061cf737f39a0bb91bad0e8de3dd0e6

SHA1
9f80157408c81fa266eed5ffa741e8c2b8c48713

SHA256
d25235a3cdc6a82e9b5f6cdcd0c904e276dd31da1b3dbbca23315233a89af75c

SHA512
dfaf689fa494306b0898fe0d036fb2ea4dbe003a5a53f0b308c2d4117a2681f082e70b9f762003aaa817a0df34a47d4fa3c94716de74075574af287a3f82d706

Download Submit
C:\Users\Admin\maaaduf.exe

Filesize
224KB

MD5
4061cf737f39a0bb91bad0e8de3dd0e6

SHA1
9f80157408c81fa266eed5ffa741e8c2b8c48713

SHA256
d25235a3cdc6a82e9b5f6cdcd0c904e276dd31da1b3dbbca23315233a89af75c

SHA512
dfaf689fa494306b0898fe0d036fb2ea4dbe003a5a53f0b308c2d4117a2681f082e70b9f762003aaa817a0df34a47d4fa3c94716de74075574af287a3f82d706

Download Submit
\Users\Admin\maaaduf.exe

Filesize
224KB

MD5
4061cf737f39a0bb91bad0e8de3dd0e6

SHA1
9f80157408c81fa266eed5ffa741e8c2b8c48713

SHA256
d25235a3cdc6a82e9b5f6cdcd0c904e276dd31da1b3dbbca23315233a89af75c

SHA512
dfaf689fa494306b0898fe0d036fb2ea4dbe003a5a53f0b308c2d4117a2681f082e70b9f762003aaa817a0df34a47d4fa3c94716de74075574af287a3f82d706

Download Submit
\Users\Admin\maaaduf.exe

Filesize
224KB

MD5
4061cf737f39a0bb91bad0e8de3dd0e6

SHA1
9f80157408c81fa266eed5ffa741e8c2b8c48713

SHA256
d25235a3cdc6a82e9b5f6cdcd0c904e276dd31da1b3dbbca23315233a89af75c

SHA512
dfaf689fa494306b0898fe0d036fb2ea4dbe003a5a53f0b308c2d4117a2681f082e70b9f762003aaa817a0df34a47d4fa3c94716de74075574af287a3f82d706

Download Submit
memory/2036-56-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download