83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824

Analysis

max time kernel
202s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 17:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
Size

108KB
MD5

6c74a17451fabab44a7f7f3f55c25a9d
SHA1

caaad8a1b86f1c58ec5e2df5f56faa69b8b4dc6e
SHA256

83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824
SHA512

47b5c87dc3dffebcedd61c30102a4aab419443f2491dc8bdd3e7f4cc34e1431f3a01aadc2b4501447cd6bbdd2c354abf6480467ba6474e4ee2be668d85b3225e
SSDEEP

1536:9li4KiB6oQ7Lh5+sXmNt0ttiS9UaPXLq0zTrk3:/rmoIeZtXEXTzTo3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gwxoev.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	gwxoev.exe

Loads dropped DLL 2 IoCs

pid	Process
844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /f"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /o"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /b"	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /t"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /r"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /y"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /z"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /a"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /p"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /s"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /g"	gwxoev.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /i"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /h"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /c"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /x"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /d"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /u"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /m"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /b"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /n"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /q"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /e"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /v"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /k"	gwxoev.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /l"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /j"	gwxoev.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwxoev = "C:\\Users\\Admin\\gwxoev.exe /w"	gwxoev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe
1496	gwxoev.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
1496	gwxoev.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1496	844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe	28
PID 844 wrote to memory of 1496	844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe	28
PID 844 wrote to memory of 1496	844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe	28
PID 844 wrote to memory of 1496	844	83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe	28

C:\Users\Admin\AppData\Local\Temp\83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe
"C:\Users\Admin\AppData\Local\Temp\83fd362c23110ef5077543c0c4442e7a0187776b7762ebff5bd55e8f7975a824.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\gwxoev.exe
  "C:\Users\Admin\gwxoev.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gwxoev.exe

Filesize
108KB

MD5
2a31744cade5e9761594199d0a8c7111

SHA1
aab6d602dcdd2e9e85494896b4d3b73c7ab536f2

SHA256
80b27733991f4203872e3b2f41df53b92ec82164cbf5edd4712237a2bdbb5449

SHA512
f1961f34a5540dd82f3b84ebc40ee5164db287ada80910ba3a8ee816b31f87c53495ffb9e7196989356567934c85d62d8a0b8fda179f1f156a5cc25fc2511775

Download Submit
C:\Users\Admin\gwxoev.exe

Filesize
108KB

MD5
2a31744cade5e9761594199d0a8c7111

SHA1
aab6d602dcdd2e9e85494896b4d3b73c7ab536f2

SHA256
80b27733991f4203872e3b2f41df53b92ec82164cbf5edd4712237a2bdbb5449

SHA512
f1961f34a5540dd82f3b84ebc40ee5164db287ada80910ba3a8ee816b31f87c53495ffb9e7196989356567934c85d62d8a0b8fda179f1f156a5cc25fc2511775

Download Submit
\Users\Admin\gwxoev.exe

Filesize
108KB

MD5
2a31744cade5e9761594199d0a8c7111

SHA1
aab6d602dcdd2e9e85494896b4d3b73c7ab536f2

SHA256
80b27733991f4203872e3b2f41df53b92ec82164cbf5edd4712237a2bdbb5449

SHA512
f1961f34a5540dd82f3b84ebc40ee5164db287ada80910ba3a8ee816b31f87c53495ffb9e7196989356567934c85d62d8a0b8fda179f1f156a5cc25fc2511775

Download Submit
\Users\Admin\gwxoev.exe

Filesize
108KB

MD5
2a31744cade5e9761594199d0a8c7111

SHA1
aab6d602dcdd2e9e85494896b4d3b73c7ab536f2

SHA256
80b27733991f4203872e3b2f41df53b92ec82164cbf5edd4712237a2bdbb5449

SHA512
f1961f34a5540dd82f3b84ebc40ee5164db287ada80910ba3a8ee816b31f87c53495ffb9e7196989356567934c85d62d8a0b8fda179f1f156a5cc25fc2511775

Download Submit
memory/844-54-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/844-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/844-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/844-66-0x0000000002B00000-0x0000000002B1C000-memory.dmp

Filesize
112KB

Download
memory/844-67-0x0000000002B00000-0x0000000002B1C000-memory.dmp

Filesize
112KB

Download
memory/844-70-0x0000000002B00000-0x0000000002B1C000-memory.dmp

Filesize
112KB

Download
memory/1496-68-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1496-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download