79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
Size

200KB
MD5

7f24fc84d3d286df36917ef2d4d4c2cb
SHA1

2e06c8657d736e4336603690176e5126fd79e1d6
SHA256

79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c
SHA512

bd5d3865cd48fb4f10eaae3bca6626ca2332488700fee29b70ca76dff0da23cda023ddcd542cb6c990d0f6861a4c5aacd63e2d8007bfc49146f226d99a5d6231
SSDEEP

3072:jC2To/0Yxd0tQ9nLHbB9WPliBs2HWWEakGJm9rn:jCvP4QxL7B9WPli+yWWEazg

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	buesav.exe

Executes dropped EXE 1 IoCs

pid	Process
5056	buesav.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /w"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /n"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /u"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /m"	buesav.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /q"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /o"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /l"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /i"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /s"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /f"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /y"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /t"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /f"	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /p"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /h"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /k"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /b"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /e"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /d"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /g"	buesav.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /x"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /z"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /r"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /a"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /v"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /c"	buesav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\buesav = "C:\\Users\\Admin\\buesav.exe /j"	buesav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe
5056	buesav.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
5056	buesav.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 5056	1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe	80
PID 1572 wrote to memory of 5056	1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe	80
PID 1572 wrote to memory of 5056	1572	79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe	80

C:\Users\Admin\AppData\Local\Temp\79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe
"C:\Users\Admin\AppData\Local\Temp\79d8e93744e6fa421b1d0c64b56d83619b30d15be1dd5b29b69e6571e5c19a2c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\buesav.exe
  "C:\Users\Admin\buesav.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\buesav.exe

Filesize
200KB

MD5
27b85435c4d05e8e22402146be898a15

SHA1
b286c281ba2bf37f87144b6465a57dadc2f45bda

SHA256
3ffe94de16e7e601bb09173e5c0664753a25545a864d0603bb15cff760525bdf

SHA512
f74c71ee07e5db76e6eb373cc71deab13a22feddb6d99e38a11f6af6ea1256dfc0ddf6391ac765906b2d77f1fc22d0294eaec20ce01ddeeb189ee685ec44adb5

Download Submit
C:\Users\Admin\buesav.exe

Filesize
200KB

MD5
27b85435c4d05e8e22402146be898a15

SHA1
b286c281ba2bf37f87144b6465a57dadc2f45bda

SHA256
3ffe94de16e7e601bb09173e5c0664753a25545a864d0603bb15cff760525bdf

SHA512
f74c71ee07e5db76e6eb373cc71deab13a22feddb6d99e38a11f6af6ea1256dfc0ddf6391ac765906b2d77f1fc22d0294eaec20ce01ddeeb189ee685ec44adb5

Download Submit