98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a

Analysis

max time kernel
187s
max time network
89s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 23:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
Size

212KB
MD5

c3eb0a014ebac7461f9fe3fd13dc158a
SHA1

66178b3bc38047063a44c319735e3528a2ce13c3
SHA256

98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a
SHA512

a3c0b4ed1527e75510170d0d83953ead0e31a117aa3ba68813ce5705a5201e16b156f756e65806da1a4a99cda6614392660a8a8a2fa7843c7148f11358dccddf
SSDEEP

3072:z/VbPD2g8h7kvHEbncAXp4wiY3fXfLqus2RrMh9VsgV2Ksb+ET8/3TYhPR+fA4ey:zf87kvutdysb+duS3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kaoufew.exe

Executes dropped EXE 1 IoCs

pid	Process
2020	kaoufew.exe

Loads dropped DLL 2 IoCs

pid	Process
1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /j"	kaoufew.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /c"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /k"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /g"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /w"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /a"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /u"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /d"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /o"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /m"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /v"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /t"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /f"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /h"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /x"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /l"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /r"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /f"	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /z"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /y"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /n"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /b"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /e"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /q"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /s"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /i"	kaoufew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\kaoufew = "C:\\Users\\Admin\\kaoufew.exe /p"	kaoufew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe
2020	kaoufew.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
2020	kaoufew.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2020	1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe	28
PID 1128 wrote to memory of 2020	1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe	28
PID 1128 wrote to memory of 2020	1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe	28
PID 1128 wrote to memory of 2020	1128	98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe	28

C:\Users\Admin\AppData\Local\Temp\98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe
"C:\Users\Admin\AppData\Local\Temp\98421398cb05058fb501fbe2b784c278254cdb6d55c40a816bce2e0ade8c450a.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\kaoufew.exe
  "C:\Users\Admin\kaoufew.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kaoufew.exe

Filesize
212KB

MD5
3660e015764f3d99ea31898a7b469873

SHA1
5ecd9ad3bf0d942601324cd65b5aaeb27644034c

SHA256
ce9e202400bfcfa95abf01faee52a6a181d656a44292cc23c8f6a0984f29a81f

SHA512
24187efcc9212f7b95c2bac4617a6c66da61a9460e0b602571d9a2fbde6c198feafa995e53a5d3f871cd743f8fbe7339b3c67da3e31236fb20edbf9463f26f4c

Download Submit
C:\Users\Admin\kaoufew.exe

Filesize
212KB

MD5
3660e015764f3d99ea31898a7b469873

SHA1
5ecd9ad3bf0d942601324cd65b5aaeb27644034c

SHA256
ce9e202400bfcfa95abf01faee52a6a181d656a44292cc23c8f6a0984f29a81f

SHA512
24187efcc9212f7b95c2bac4617a6c66da61a9460e0b602571d9a2fbde6c198feafa995e53a5d3f871cd743f8fbe7339b3c67da3e31236fb20edbf9463f26f4c

Download Submit
\Users\Admin\kaoufew.exe

Filesize
212KB

MD5
3660e015764f3d99ea31898a7b469873

SHA1
5ecd9ad3bf0d942601324cd65b5aaeb27644034c

SHA256
ce9e202400bfcfa95abf01faee52a6a181d656a44292cc23c8f6a0984f29a81f

SHA512
24187efcc9212f7b95c2bac4617a6c66da61a9460e0b602571d9a2fbde6c198feafa995e53a5d3f871cd743f8fbe7339b3c67da3e31236fb20edbf9463f26f4c

Download Submit
\Users\Admin\kaoufew.exe

Filesize
212KB

MD5
3660e015764f3d99ea31898a7b469873

SHA1
5ecd9ad3bf0d942601324cd65b5aaeb27644034c

SHA256
ce9e202400bfcfa95abf01faee52a6a181d656a44292cc23c8f6a0984f29a81f

SHA512
24187efcc9212f7b95c2bac4617a6c66da61a9460e0b602571d9a2fbde6c198feafa995e53a5d3f871cd743f8fbe7339b3c67da3e31236fb20edbf9463f26f4c

Download Submit
memory/1128-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download