Analysis
-
max time kernel
151s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 17:01
Static task
static1
Behavioral task
behavioral1
Sample
cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe
-
Size
104KB
-
MD5
824d03e3300b4a10b50cd114b4967572
-
SHA1
8dca80d35a007df51b75d102a8a2ed93c328f3b9
-
SHA256
cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d
-
SHA512
ec3bf981ee6db8661d90cdbac8f85ce6a9dbbf74588df16dcc9a7d9d65432449438a2ed0aeae44fbe6620641dd6efdcd9e4d783c7d7fdaedb3ed3af9e0a3338c
-
SSDEEP
1536:QvLRvx+u3s+HBchhQKNIqpOcQv0sTEFSocloXjLl03F:Wq+eiKNZJQv0sTNo3m3F
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hiubeaf.exe -
Executes dropped EXE 1 IoCs
pid Process 3824 hiubeaf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /m" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /l" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /s" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /h" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /n" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /b" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /o" cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /d" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /w" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /i" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /k" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /x" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /z" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /g" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /r" hiubeaf.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /v" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /c" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /e" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /p" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /j" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /u" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /t" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /f" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /o" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /q" hiubeaf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hiubeaf = "C:\\Users\\Admin\\hiubeaf.exe /y" hiubeaf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe 3824 hiubeaf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 3824 hiubeaf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4912 wrote to memory of 3824 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 86 PID 4912 wrote to memory of 3824 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 86 PID 4912 wrote to memory of 3824 4912 cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe"C:\Users\Admin\AppData\Local\Temp\cdb7b7e2b55b61760257a47caecceb9aa032da958a43ac349e43f95542b7286d.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\hiubeaf.exe"C:\Users\Admin\hiubeaf.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3824
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5e942bf121b40b720f096cf0771a384a0
SHA135be73bd5e6ef6e4d2f665dcfede0860945cb00b
SHA256636c4d71483069cba5924aaf94755c6ffed241f32a7df3c46c2dd50ce109d504
SHA512102f106d82647d053e21408185698b5c5ed2894f3ad1a3eb52b0429b2e98a9c5b9472ccf69414a31c44d4b27186b3cafce5d4ec45e3df24cbe0cdfae3253b75a
-
Filesize
104KB
MD5e942bf121b40b720f096cf0771a384a0
SHA135be73bd5e6ef6e4d2f665dcfede0860945cb00b
SHA256636c4d71483069cba5924aaf94755c6ffed241f32a7df3c46c2dd50ce109d504
SHA512102f106d82647d053e21408185698b5c5ed2894f3ad1a3eb52b0429b2e98a9c5b9472ccf69414a31c44d4b27186b3cafce5d4ec45e3df24cbe0cdfae3253b75a