Analysis
-
max time kernel
364s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 23:41
Static task
static1
Behavioral task
behavioral1
Sample
56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe
-
Size
168KB
-
MD5
aeba923aa67744ef6570c3c770a4e07f
-
SHA1
7d4dc3567ca11550211bb668cbd2e041101ea3eb
-
SHA256
56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b
-
SHA512
9a97e1d408276e6a1ee392eb93366c7ea81981640c4e8202bc91102ed6c875d26618e59486215676eec37c545e80e91c8f2515d01e2f17020ebf1ae18d799722
-
SSDEEP
1536:xAFlHooXxTaSfm8UI+FQZAq7UjbJw5aCUZeBB++7XVFfFVE/9jMhmqLBzmxI:OlHooXxYUZvUH2aZZer++7XVb5gI
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" moogu.exe -
Executes dropped EXE 1 IoCs
pid Process 2204 moogu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /b" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /p" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /t" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /x" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /o" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /s" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /q" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /f" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /e" moogu.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /v" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /a" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /u" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /j" moogu.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /z" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /r" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /w" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /n" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /y" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /d" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /m" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /i" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /h" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /g" moogu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /g" 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\moogu = "C:\\Users\\Admin\\moogu.exe /k" moogu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe 2204 moogu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 2204 moogu.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4160 wrote to memory of 2204 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 82 PID 4160 wrote to memory of 2204 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 82 PID 4160 wrote to memory of 2204 4160 56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe"C:\Users\Admin\AppData\Local\Temp\56659cb813be9b297986f3b54a656d79a2e97e423db31de3db2e5039b835325b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\moogu.exe"C:\Users\Admin\moogu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD581667fa375649356748ce928f3b159c6
SHA1defd35236f1b38348c978dde322a97c0dea94fc6
SHA2561fb387853a3596ea39c79c424b7f5008017e3308af62a15b000e6f0a2665237d
SHA51290d72028f2bdc734bc5713e93c09fca77395881d3ba3dbdc4f83f5023087381da6183248af185b1082e3717ed59de8113ad5c643da3f3acf5223767f2d46d50d
-
Filesize
168KB
MD581667fa375649356748ce928f3b159c6
SHA1defd35236f1b38348c978dde322a97c0dea94fc6
SHA2561fb387853a3596ea39c79c424b7f5008017e3308af62a15b000e6f0a2665237d
SHA51290d72028f2bdc734bc5713e93c09fca77395881d3ba3dbdc4f83f5023087381da6183248af185b1082e3717ed59de8113ad5c643da3f3acf5223767f2d46d50d