e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8

Analysis

max time kernel
258s
max time network
332s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
Size

100KB
MD5

1ee4ce13b367789586893126bccb17e0
SHA1

dc2cc4877537e765ee32211fdd17dcb8fcf8541a
SHA256

e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8
SHA512

48f220e17c2797bc94382a9cae729769be98b93a62135ae19de74b46510d80913d9b17c6aca8b82f04f91d7e0a3baf02ca8777729f5d29168cef5e0d826f8834
SSDEEP

1536:PC/8iAuismyWsjKCWRw0wF9MGM9K/lKtNgCMbATbL3N+NM5EfsNIjnZUc:qjKHtTLOM57CnCc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xaiiw.exe

Executes dropped EXE 1 IoCs

pid	Process
688	xaiiw.exe

Loads dropped DLL 2 IoCs

pid	Process
1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /y"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /i"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /D"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /Z"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /k"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /g"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /G"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /q"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /F"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /l"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /U"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /m"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /j"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /x"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /T"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /X"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /P"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /d"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /B"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /e"	xaiiw.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /c"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /S"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /w"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /o"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /O"	xaiiw.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /r"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /E"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /f"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /Q"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /A"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /h"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /M"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /v"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /b"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /z"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /T"	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /I"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /u"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /s"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /a"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /p"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /C"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /J"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /H"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /N"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /V"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /t"	xaiiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaiiw = "C:\\Users\\Admin\\xaiiw.exe /Y"	xaiiw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe
688	xaiiw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
688	xaiiw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 688	1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe	28
PID 1032 wrote to memory of 688	1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe	28
PID 1032 wrote to memory of 688	1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe	28
PID 1032 wrote to memory of 688	1032	e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe	28

C:\Users\Admin\AppData\Local\Temp\e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe
"C:\Users\Admin\AppData\Local\Temp\e0e1fb23c46ca7c5b81faded225f6ff176d69e938b10a992e360e1cf7a598ad8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\xaiiw.exe
  "C:\Users\Admin\xaiiw.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xaiiw.exe

Filesize
100KB

MD5
bafe43a7397b4ee361414902538853e5

SHA1
ed20391abf1ae115cd09fb4acb3ef923d1ff593e

SHA256
3884ba731ab4c9f1220eb56aaadd1e946eed8493f6e2d395cebecd4eb056d73b

SHA512
5a332a36e2e2e9b547f03bd4c1b73f6d28908ac2f2f78461785084a9e9ffd6a2bbe04ac8fd49cc872cf8d0df38fa0604bf9187ecef50bb1edf0bc4ebb26c70aa

Download Submit
C:\Users\Admin\xaiiw.exe

Filesize
100KB

MD5
bafe43a7397b4ee361414902538853e5

SHA1
ed20391abf1ae115cd09fb4acb3ef923d1ff593e

SHA256
3884ba731ab4c9f1220eb56aaadd1e946eed8493f6e2d395cebecd4eb056d73b

SHA512
5a332a36e2e2e9b547f03bd4c1b73f6d28908ac2f2f78461785084a9e9ffd6a2bbe04ac8fd49cc872cf8d0df38fa0604bf9187ecef50bb1edf0bc4ebb26c70aa

Download Submit
\Users\Admin\xaiiw.exe

Filesize
100KB

MD5
bafe43a7397b4ee361414902538853e5

SHA1
ed20391abf1ae115cd09fb4acb3ef923d1ff593e

SHA256
3884ba731ab4c9f1220eb56aaadd1e946eed8493f6e2d395cebecd4eb056d73b

SHA512
5a332a36e2e2e9b547f03bd4c1b73f6d28908ac2f2f78461785084a9e9ffd6a2bbe04ac8fd49cc872cf8d0df38fa0604bf9187ecef50bb1edf0bc4ebb26c70aa

Download Submit
\Users\Admin\xaiiw.exe

Filesize
100KB

MD5
bafe43a7397b4ee361414902538853e5

SHA1
ed20391abf1ae115cd09fb4acb3ef923d1ff593e

SHA256
3884ba731ab4c9f1220eb56aaadd1e946eed8493f6e2d395cebecd4eb056d73b

SHA512
5a332a36e2e2e9b547f03bd4c1b73f6d28908ac2f2f78461785084a9e9ffd6a2bbe04ac8fd49cc872cf8d0df38fa0604bf9187ecef50bb1edf0bc4ebb26c70aa

Download Submit
memory/688-59-0x0000000000000000-mapping.dmp

Download
memory/1032-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download