Analysis
-
max time kernel
79s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 16:57
Static task
static1
Behavioral task
behavioral1
Sample
d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe
-
Size
232KB
-
MD5
2cf2ae07a2811153d8f535e6b6979e6c
-
SHA1
455a5359e41eb6974f77cfa43871d80df61a84d0
-
SHA256
d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc
-
SHA512
e499f2ea86cd35595c90b7505e74feba84a52eb0324f8aaacfdc3799eb719a62a95ef34eefa238d76e2a6ddbf39f14cc894a69a4f3e74ea71b80e73dd06d856b
-
SSDEEP
3072:Ao4x9+Jqwpvn1NK/zeWR0Q774aqosAm+wEE:991NK/z9Rd774aqosAm+wH
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fuipa.exe -
Executes dropped EXE 1 IoCs
pid Process 5040 fuipa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /b" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /m" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /f" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /a" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /i" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /s" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /n" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /z" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /p" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /q" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /x" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /r" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /w" fuipa.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /v" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /j" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /g" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /h" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /d" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /t" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /y" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /c" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /e" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /u" fuipa.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /c" d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuipa = "C:\\Users\\Admin\\fuipa.exe /k" fuipa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe 5040 fuipa.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 5040 fuipa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 388 wrote to memory of 5040 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 80 PID 388 wrote to memory of 5040 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 80 PID 388 wrote to memory of 5040 388 d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe"C:\Users\Admin\AppData\Local\Temp\d755c5b45842e68a4bb54f72a44e4a3768e6acdf6e4ec8e65c05d821b54b5bfc.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\fuipa.exe"C:\Users\Admin\fuipa.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5040
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5da7d725ad33a486cb062f63df091bdd3
SHA1eb9c3d279174442ea86f781f709418af3ae319ab
SHA256069889eb47f9408091410322775bad46f207c58250689d17c36a3fe2e46cc321
SHA512f5a3b3701734a46c4e2da35fb6a10588eadf7b5b103b550dc61097cec7e4d15271debf0d6f708bc164d857fc0819374ee6572140acfb7f0d8fe7667aa01ef46b
-
Filesize
232KB
MD5da7d725ad33a486cb062f63df091bdd3
SHA1eb9c3d279174442ea86f781f709418af3ae319ab
SHA256069889eb47f9408091410322775bad46f207c58250689d17c36a3fe2e46cc321
SHA512f5a3b3701734a46c4e2da35fb6a10588eadf7b5b103b550dc61097cec7e4d15271debf0d6f708bc164d857fc0819374ee6572140acfb7f0d8fe7667aa01ef46b