bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
Size

232KB
MD5

1896bc5d2d0c6cfbd39c323c3c1058df
SHA1

3c27f74ba0c41fa8c09a11ffc39972eb0f3fbca8
SHA256

bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106
SHA512

0af3a6e21de54aba62eff793711a4f75f7813098177eeae82627f5dc196b892721376be63bc102373d57b1934a82d115708cba6a1de287b2eab7dd4d48cae502
SSDEEP

6144:Ft3PFKs78g2KyEOaWEqxF6snji81RUinKdNOR:PPh+mFg

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zuuxuuw.exe

Executes dropped EXE 1 IoCs

pid	Process
1640	zuuxuuw.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /u"	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /u"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /y"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /v"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /c"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /z"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /f"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /m"	zuuxuuw.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /x"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /n"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /a"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /k"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /g"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /e"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /r"	zuuxuuw.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /q"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /w"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /i"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /d"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /b"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /o"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /t"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /j"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /s"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /l"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /h"	zuuxuuw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\zuuxuuw = "C:\\Users\\Admin\\zuuxuuw.exe /p"	zuuxuuw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe
1640	zuuxuuw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
1640	zuuxuuw.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1640	1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe	27
PID 1720 wrote to memory of 1640	1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe	27
PID 1720 wrote to memory of 1640	1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe	27
PID 1720 wrote to memory of 1640	1720	bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe	27

C:\Users\Admin\AppData\Local\Temp\bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe
"C:\Users\Admin\AppData\Local\Temp\bf7baca4631d7c39b707c2999632d9031871b842452d25de35194fbfd8f3a106.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\zuuxuuw.exe
  "C:\Users\Admin\zuuxuuw.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\zuuxuuw.exe

Filesize
232KB

MD5
b11cfbba308d6d3b25141fda20c959a9

SHA1
eb15965aab7f551cf9b1da5558dada59a65df42a

SHA256
68c5b9a0fef1763c2301fa1c640aae24caaebbe5b76a3fbe0278d64ce387611b

SHA512
75f93c55f35d32dc350d2ebdb26b132ce64bb18476fc4abb77decdf0c90d1d7c31f33cb25fa97ead156d42599da76d382e43da1cf64422e0b918cd07a3a335ca

Download Submit
C:\Users\Admin\zuuxuuw.exe

Filesize
232KB

MD5
b11cfbba308d6d3b25141fda20c959a9

SHA1
eb15965aab7f551cf9b1da5558dada59a65df42a

SHA256
68c5b9a0fef1763c2301fa1c640aae24caaebbe5b76a3fbe0278d64ce387611b

SHA512
75f93c55f35d32dc350d2ebdb26b132ce64bb18476fc4abb77decdf0c90d1d7c31f33cb25fa97ead156d42599da76d382e43da1cf64422e0b918cd07a3a335ca

Download Submit
\Users\Admin\zuuxuuw.exe

Filesize
232KB

MD5
b11cfbba308d6d3b25141fda20c959a9

SHA1
eb15965aab7f551cf9b1da5558dada59a65df42a

SHA256
68c5b9a0fef1763c2301fa1c640aae24caaebbe5b76a3fbe0278d64ce387611b

SHA512
75f93c55f35d32dc350d2ebdb26b132ce64bb18476fc4abb77decdf0c90d1d7c31f33cb25fa97ead156d42599da76d382e43da1cf64422e0b918cd07a3a335ca

Download Submit
\Users\Admin\zuuxuuw.exe

Filesize
232KB

MD5
b11cfbba308d6d3b25141fda20c959a9

SHA1
eb15965aab7f551cf9b1da5558dada59a65df42a

SHA256
68c5b9a0fef1763c2301fa1c640aae24caaebbe5b76a3fbe0278d64ce387611b

SHA512
75f93c55f35d32dc350d2ebdb26b132ce64bb18476fc4abb77decdf0c90d1d7c31f33cb25fa97ead156d42599da76d382e43da1cf64422e0b918cd07a3a335ca

Download Submit
memory/1720-56-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download