1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e

Analysis

max time kernel
153s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 15:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
Size

192KB
MD5

3a4108e487e2270e6b86b4507e492a20
SHA1

2c1fa3a5e1d39513ee5b2d39910dfcbe5e0bf902
SHA256

1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e
SHA512

9a0e1d6b19387b573c86e03053f6bb63a886b23ec3ae77565d087245c36609a58a0642371649cece83573f0784c8d620eb2c74efdf78b561aa0e864c39ae62c8
SSDEEP

3072:wu8+pADOBrpM3lt0bqO4deKIpS2Q9tC3UwtxaTSGzGXDzp8D8OJbhaDLe3o23:EOBr63cbqO40K394aTSGzGZ8ogfYe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	daeoc.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	daeoc.exe

Loads dropped DLL 2 IoCs

pid	Process
800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /j"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /Y"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /v"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /S"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /b"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /n"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /t"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /V"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /r"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /p"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /L"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /I"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /D"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /J"	daeoc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /X"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /y"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /q"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /A"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /l"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /Y"	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /C"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /U"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /W"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /e"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /z"	daeoc.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /Z"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /d"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /c"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /R"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /m"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /M"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /s"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /u"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /F"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /O"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /a"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /G"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /H"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /B"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /K"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /Q"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /x"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /o"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /f"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /h"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /g"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /w"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /T"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /i"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /E"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /k"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /P"	daeoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\daeoc = "C:\\Users\\Admin\\daeoc.exe /N"	daeoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe
1732	daeoc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
1732	daeoc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1732	800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe	28
PID 800 wrote to memory of 1732	800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe	28
PID 800 wrote to memory of 1732	800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe	28
PID 800 wrote to memory of 1732	800	1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe	28

C:\Users\Admin\AppData\Local\Temp\1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe
"C:\Users\Admin\AppData\Local\Temp\1afe26afd319f8d46a0f303f87dd4692b529a3967b906b189ac433163ffb055e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\daeoc.exe
  "C:\Users\Admin\daeoc.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\daeoc.exe

Filesize
192KB

MD5
a92ada22275bdbaf3a769e025bf43ee7

SHA1
4373c7e8a23f880c4474517165b1a0dbe25fefe4

SHA256
b682e87890cfa59d3bbf9b15ec000330271f70169951aca12ea4f5a684586d3b

SHA512
0d7b7c2d1768d87818ee9f9a5a11a3e5b1d6e9adf9e837542d94bf43709f7c0231132c57196f53933d8dfd59cd926241a23442f9731b1b9af9e961fc7ad7f01f

Download Submit
C:\Users\Admin\daeoc.exe

Filesize
192KB

MD5
a92ada22275bdbaf3a769e025bf43ee7

SHA1
4373c7e8a23f880c4474517165b1a0dbe25fefe4

SHA256
b682e87890cfa59d3bbf9b15ec000330271f70169951aca12ea4f5a684586d3b

SHA512
0d7b7c2d1768d87818ee9f9a5a11a3e5b1d6e9adf9e837542d94bf43709f7c0231132c57196f53933d8dfd59cd926241a23442f9731b1b9af9e961fc7ad7f01f

Download Submit
\Users\Admin\daeoc.exe

Filesize
192KB

MD5
a92ada22275bdbaf3a769e025bf43ee7

SHA1
4373c7e8a23f880c4474517165b1a0dbe25fefe4

SHA256
b682e87890cfa59d3bbf9b15ec000330271f70169951aca12ea4f5a684586d3b

SHA512
0d7b7c2d1768d87818ee9f9a5a11a3e5b1d6e9adf9e837542d94bf43709f7c0231132c57196f53933d8dfd59cd926241a23442f9731b1b9af9e961fc7ad7f01f

Download Submit
\Users\Admin\daeoc.exe

Filesize
192KB

MD5
a92ada22275bdbaf3a769e025bf43ee7

SHA1
4373c7e8a23f880c4474517165b1a0dbe25fefe4

SHA256
b682e87890cfa59d3bbf9b15ec000330271f70169951aca12ea4f5a684586d3b

SHA512
0d7b7c2d1768d87818ee9f9a5a11a3e5b1d6e9adf9e837542d94bf43709f7c0231132c57196f53933d8dfd59cd926241a23442f9731b1b9af9e961fc7ad7f01f

Download Submit
memory/800-56-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download