bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c

Analysis

max time kernel
152s
max time network
59s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
Size

248KB
MD5

9f0793fe609e68775672a1832113e365
SHA1

946449d306c8eb910a483a825d659f21d12ca902
SHA256

bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c
SHA512

21ac7e301ad94322666987e15ff66d0856b9c2be214afd7c25e9445553c6146c046c850f9b4688a6948ad7c2071973a6f7fb369269be4a770fd8aefa7dd4e623
SSDEEP

3072:Um38lijxjXhI8hPNOkTJeJ7JwJHJ6JkBTrwGXfXkaA3tq14x6RgP+x+Tidc2YffS:NgiJhNNop2pYOLzulRBgF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xeeun.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	xeeun.exe

Loads dropped DLL 2 IoCs

pid	Process
784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /i"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /z"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /s"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /l"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /d"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /j"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /s"	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /p"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /a"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /u"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /y"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /r"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /k"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /w"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /m"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /q"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /h"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /g"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /c"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /o"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /e"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /b"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /f"	xeeun.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xeeun.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /t"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /x"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /n"	xeeun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeun = "C:\\Users\\Admin\\xeeun.exe /v"	xeeun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe
2004	xeeun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
2004	xeeun.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2004	784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe	26
PID 784 wrote to memory of 2004	784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe	26
PID 784 wrote to memory of 2004	784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe	26
PID 784 wrote to memory of 2004	784	bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe	26

C:\Users\Admin\AppData\Local\Temp\bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe
"C:\Users\Admin\AppData\Local\Temp\bdf2b21b23ec2e6ff5c49580d89b309979628c8ea101ccd8d943ab1e2f62dd6c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\xeeun.exe
  "C:\Users\Admin\xeeun.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xeeun.exe

Filesize
248KB

MD5
d57bb90578e1b9bb1237528b02e19313

SHA1
ca01b3da9ce72881a0b8a3a21ae7b2dec74b66aa

SHA256
54d1fbd7e5118fcfc8acccad2c5be95090d66a0a4b042c595d3cd040dd814d8f

SHA512
1867174911a48c6049c44c159e888eaa1055ac6a74e5b87eb0c9769cd5457ad8b78790007590999b34bf74a3d19104784c7b2dd7805590c7a54474f7c3a6d33b

Download Submit
C:\Users\Admin\xeeun.exe

Filesize
248KB

MD5
d57bb90578e1b9bb1237528b02e19313

SHA1
ca01b3da9ce72881a0b8a3a21ae7b2dec74b66aa

SHA256
54d1fbd7e5118fcfc8acccad2c5be95090d66a0a4b042c595d3cd040dd814d8f

SHA512
1867174911a48c6049c44c159e888eaa1055ac6a74e5b87eb0c9769cd5457ad8b78790007590999b34bf74a3d19104784c7b2dd7805590c7a54474f7c3a6d33b

Download Submit
\Users\Admin\xeeun.exe

Filesize
248KB

MD5
d57bb90578e1b9bb1237528b02e19313

SHA1
ca01b3da9ce72881a0b8a3a21ae7b2dec74b66aa

SHA256
54d1fbd7e5118fcfc8acccad2c5be95090d66a0a4b042c595d3cd040dd814d8f

SHA512
1867174911a48c6049c44c159e888eaa1055ac6a74e5b87eb0c9769cd5457ad8b78790007590999b34bf74a3d19104784c7b2dd7805590c7a54474f7c3a6d33b

Download Submit
\Users\Admin\xeeun.exe

Filesize
248KB

MD5
d57bb90578e1b9bb1237528b02e19313

SHA1
ca01b3da9ce72881a0b8a3a21ae7b2dec74b66aa

SHA256
54d1fbd7e5118fcfc8acccad2c5be95090d66a0a4b042c595d3cd040dd814d8f

SHA512
1867174911a48c6049c44c159e888eaa1055ac6a74e5b87eb0c9769cd5457ad8b78790007590999b34bf74a3d19104784c7b2dd7805590c7a54474f7c3a6d33b

Download Submit
memory/784-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/2004-59-0x0000000000000000-mapping.dmp

Download