c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc

Analysis

max time kernel
154s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
Size

192KB
MD5

49a66d018b361cad503fb8c8a170ebd2
SHA1

c631df32bf1047b157648f3ec738633041f1016e
SHA256

c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc
SHA512

1a34efeda1e7ddd1dac8595584d9896777ff15fd0ea4982ca5d93f8506578bba44d02f2a24a154a922ef46d0be4a76100e1695bce5b6d240adec3948d0d181a1
SSDEEP

3072:rtrZuCWv2JQcFBKBJy6apbuD2VMbj1hlUyw/1obo:rzBWvUFIJlapu2V21r/Y

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	souzeul.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	souzeul.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /W"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /y"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /U"	souzeul.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /a"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /z"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /F"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /B"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /r"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /M"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /p"	souzeul.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Z"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /w"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /C"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /D"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /G"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /m"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Y"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /c"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /H"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /f"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /t"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /l"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /V"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /P"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /v"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /T"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /q"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /J"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Q"	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /b"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /Q"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /j"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /L"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /k"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /E"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /o"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /u"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /R"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /n"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /I"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /x"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /d"	souzeul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\souzeul = "C:\\Users\\Admin\\souzeul.exe /e"	souzeul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe
4140	souzeul.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
4140	souzeul.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4140	2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe	86
PID 2704 wrote to memory of 4140	2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe	86
PID 2704 wrote to memory of 4140	2704	c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe	86

C:\Users\Admin\AppData\Local\Temp\c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe
"C:\Users\Admin\AppData\Local\Temp\c012f53dd959f7525def5990b132e55c73c5f288eb1cbeb75fe40451e50831dc.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\souzeul.exe
  "C:\Users\Admin\souzeul.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\souzeul.exe

Filesize
192KB

MD5
2ced7154d514e3f3af7efdc403d79084

SHA1
ae03b54f431f311f4971a43564588b702daced4b

SHA256
992ee5ba62db2aa50fd790b77921f99431dbc6c6fb44758505883139a63d7f76

SHA512
907e4b52af292c33a37d45ebd0c988b84b2e49f65c6262362bdebf8a4766321e2684a4e8ddaf829bc08ce2fae5b3bd7f15a1c05e7e7fe6e6ed78301df9ad586d

Download Submit
C:\Users\Admin\souzeul.exe

Filesize
192KB

MD5
2ced7154d514e3f3af7efdc403d79084

SHA1
ae03b54f431f311f4971a43564588b702daced4b

SHA256
992ee5ba62db2aa50fd790b77921f99431dbc6c6fb44758505883139a63d7f76

SHA512
907e4b52af292c33a37d45ebd0c988b84b2e49f65c6262362bdebf8a4766321e2684a4e8ddaf829bc08ce2fae5b3bd7f15a1c05e7e7fe6e6ed78301df9ad586d

Download Submit