ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe

Analysis

max time kernel
150s
max time network
77s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
Size

204KB
MD5

bc15713ad81d65aeefda6686de5320b2
SHA1

f71335458adffa8344f1d93ff19ed103e5f37b02
SHA256

ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe
SHA512

0c92d544b182453691798b5e42502c37b48b193570e7077012d777ee5a32b3c69d3b7655fbeb7235cc24051b98d138634936bbd0efc42c5ff3df4c7e0f8f46a8
SSDEEP

3072:GmmFW8t0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWDCr:kUK4QxL7B9W0c1RCzR/fSml4C

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ciolie.exe

Executes dropped EXE 1 IoCs

pid	Process
1832	ciolie.exe

Loads dropped DLL 2 IoCs

pid	Process
1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /x"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /a"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /t"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /z"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /u"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /l"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /m"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /o"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /b"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /c"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /r"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /g"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /y"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /p"	ciolie.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /q"	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /j"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /k"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /q"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /h"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /i"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /w"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /f"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /n"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /e"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /s"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /d"	ciolie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ciolie = "C:\\Users\\Admin\\ciolie.exe /v"	ciolie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe
1832	ciolie.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
1832	ciolie.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1832	1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe	27
PID 1104 wrote to memory of 1832	1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe	27
PID 1104 wrote to memory of 1832	1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe	27
PID 1104 wrote to memory of 1832	1104	ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe	27

C:\Users\Admin\AppData\Local\Temp\ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe
"C:\Users\Admin\AppData\Local\Temp\ea5367f72b81698c8434adf2b3b1eb6d16377261df346fcb852231b2061238fe.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\ciolie.exe
  "C:\Users\Admin\ciolie.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ciolie.exe

Filesize
204KB

MD5
e42017651859ee7b6d3de6cf4491336e

SHA1
1fbf0561e2b1dbdf85ac8fdf219b2bbea00c3df4

SHA256
167a88f3a7866a3830f86585c188109a9984f5f6c4b3933b17631237e1a66ee6

SHA512
7f1d886bb7b2191d0c3558fad2ddcc18d3db3e590ac74fe3d7343bf3fe5f31069d767e999bd79c6d70f3b6b20c56134a0d3c4ed3fbed39d6cbd2b3f4d372e27c

Download Submit
C:\Users\Admin\ciolie.exe

Filesize
204KB

MD5
e42017651859ee7b6d3de6cf4491336e

SHA1
1fbf0561e2b1dbdf85ac8fdf219b2bbea00c3df4

SHA256
167a88f3a7866a3830f86585c188109a9984f5f6c4b3933b17631237e1a66ee6

SHA512
7f1d886bb7b2191d0c3558fad2ddcc18d3db3e590ac74fe3d7343bf3fe5f31069d767e999bd79c6d70f3b6b20c56134a0d3c4ed3fbed39d6cbd2b3f4d372e27c

Download Submit
\Users\Admin\ciolie.exe

Filesize
204KB

MD5
e42017651859ee7b6d3de6cf4491336e

SHA1
1fbf0561e2b1dbdf85ac8fdf219b2bbea00c3df4

SHA256
167a88f3a7866a3830f86585c188109a9984f5f6c4b3933b17631237e1a66ee6

SHA512
7f1d886bb7b2191d0c3558fad2ddcc18d3db3e590ac74fe3d7343bf3fe5f31069d767e999bd79c6d70f3b6b20c56134a0d3c4ed3fbed39d6cbd2b3f4d372e27c

Download Submit
\Users\Admin\ciolie.exe

Filesize
204KB

MD5
e42017651859ee7b6d3de6cf4491336e

SHA1
1fbf0561e2b1dbdf85ac8fdf219b2bbea00c3df4

SHA256
167a88f3a7866a3830f86585c188109a9984f5f6c4b3933b17631237e1a66ee6

SHA512
7f1d886bb7b2191d0c3558fad2ddcc18d3db3e590ac74fe3d7343bf3fe5f31069d767e999bd79c6d70f3b6b20c56134a0d3c4ed3fbed39d6cbd2b3f4d372e27c

Download Submit
memory/1104-56-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1832-59-0x0000000000000000-mapping.dmp

Download