6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222

Analysis

max time kernel
208s
max time network
132s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
Size

192KB
MD5

6f5a9d9f99aeb5099ef07a65fbf82379
SHA1

48665304dc370d133e7894b4f89a6ec776b904f7
SHA256

6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222
SHA512

0a089e3517513269320ead437fcf838c01586697a41d70f82a7357ae9ded7e940e00b98d05c9687f45d295c6b629582810d144b3589902afe11b21abfa78a1a0
SSDEEP

3072:3u8+MvBnOBrpM3lt0bqO4deKIpS2Q9tC3UwtxaTSGzGXDzp8D8OJbhaDge3oKZ:5nOBr63cbqO40K394aTSGzGZ8ogcYA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xaifu.exe

Executes dropped EXE 1 IoCs

pid	Process
1340	xaifu.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /B"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /V"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /k"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /b"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /K"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /G"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /p"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /d"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /W"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /g"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /y"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /r"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /c"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /u"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /A"	xaifu.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /x"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /L"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /l"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /F"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /R"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /a"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /z"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /G"	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /s"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /C"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /m"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /P"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /o"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /n"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /D"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /J"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /U"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /E"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /h"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /t"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /O"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /q"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /v"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /N"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /w"	xaifu.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /Y"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /Z"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /f"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /e"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /S"	xaifu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\xaifu = "C:\\Users\\Admin\\xaifu.exe /Q"	xaifu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe
1340	xaifu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
1340	xaifu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1340	2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe	28
PID 2012 wrote to memory of 1340	2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe	28
PID 2012 wrote to memory of 1340	2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe	28
PID 2012 wrote to memory of 1340	2012	6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe	28

C:\Users\Admin\AppData\Local\Temp\6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe
"C:\Users\Admin\AppData\Local\Temp\6ce0e245b16cae14448bfd519c2e887777381159e7fd0fc442575a7f5e694222.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\xaifu.exe
  "C:\Users\Admin\xaifu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\xaifu.exe

Filesize
192KB

MD5
a9e928cd98a43c9885782a5139a721ac

SHA1
294016679d26c1adbc6688b3dca2dfc800dcb276

SHA256
38bd5a9ad999054b8c3b6e4c0a6e654bceb379e8fed2962d8043529292b005ca

SHA512
bd7f8d03a0fb423881677293d3b20b9a081c7771772d9d826052924f3e25cacda9f7d91da738be016eab90c14314e94d6a22fd2a322d61358a14cb4aadb596ac

Download Submit
C:\Users\Admin\xaifu.exe

Filesize
192KB

MD5
a9e928cd98a43c9885782a5139a721ac

SHA1
294016679d26c1adbc6688b3dca2dfc800dcb276

SHA256
38bd5a9ad999054b8c3b6e4c0a6e654bceb379e8fed2962d8043529292b005ca

SHA512
bd7f8d03a0fb423881677293d3b20b9a081c7771772d9d826052924f3e25cacda9f7d91da738be016eab90c14314e94d6a22fd2a322d61358a14cb4aadb596ac

Download Submit
\Users\Admin\xaifu.exe

Filesize
192KB

MD5
a9e928cd98a43c9885782a5139a721ac

SHA1
294016679d26c1adbc6688b3dca2dfc800dcb276

SHA256
38bd5a9ad999054b8c3b6e4c0a6e654bceb379e8fed2962d8043529292b005ca

SHA512
bd7f8d03a0fb423881677293d3b20b9a081c7771772d9d826052924f3e25cacda9f7d91da738be016eab90c14314e94d6a22fd2a322d61358a14cb4aadb596ac

Download Submit
\Users\Admin\xaifu.exe

Filesize
192KB

MD5
a9e928cd98a43c9885782a5139a721ac

SHA1
294016679d26c1adbc6688b3dca2dfc800dcb276

SHA256
38bd5a9ad999054b8c3b6e4c0a6e654bceb379e8fed2962d8043529292b005ca

SHA512
bd7f8d03a0fb423881677293d3b20b9a081c7771772d9d826052924f3e25cacda9f7d91da738be016eab90c14314e94d6a22fd2a322d61358a14cb4aadb596ac

Download Submit
memory/1340-67-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1340-70-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2012-57-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download
memory/2012-65-0x0000000002D60000-0x0000000002D91000-memory.dmp

Filesize
196KB

Download
memory/2012-66-0x0000000002D60000-0x0000000002D91000-memory.dmp

Filesize
196KB

Download
memory/2012-69-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download