84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e

Analysis

max time kernel
189s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
Size

156KB
MD5

22ba034121e409cdd586a41d7a1d4967
SHA1

7253e3c453cd57f4719e0be083295cc89f909757
SHA256

84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e
SHA512

743d6bc1629846eb3329ee41c0d8d8bd1ffbe7de469b04ca2fbc8ab9350035c2f1598de912156894e705fe2c6d5448e5a58b726c7ecd1b6822c40beda4e94fda
SSDEEP

3072:su/j6/TZwR0V44ZeNeGVuLH/gefYMmsyvGdmo6aKqpaZ4oQZiEutx:ZcKRakVu7/lfYfhGmTvW2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	douruiv.exe

Executes dropped EXE 1 IoCs

pid	Process
4524	douruiv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /B"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /y"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /q"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /a"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /P"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /W"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /X"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /i"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /J"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /F"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /M"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /K"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /G"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /u"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /l"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /H"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /c"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /E"	douruiv.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /v"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /o"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /x"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /z"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /b"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /e"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /d"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /R"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /r"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /Z"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /O"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /m"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /S"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /V"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /N"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /K"	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /f"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /Y"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /s"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /p"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /T"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /j"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /Q"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /k"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /U"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /g"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /w"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /t"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /D"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /n"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /h"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /L"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /A"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /C"	douruiv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\douruiv = "C:\\Users\\Admin\\douruiv.exe /I"	douruiv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe
4524	douruiv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
4524	douruiv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 4524	2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe	83
PID 2452 wrote to memory of 4524	2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe	83
PID 2452 wrote to memory of 4524	2452	84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe	83

C:\Users\Admin\AppData\Local\Temp\84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe
"C:\Users\Admin\AppData\Local\Temp\84dbf0bb4c8e5046db773a4bb1294c3fa0104aeefc8cac763d6a5c8db613084e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\douruiv.exe
  "C:\Users\Admin\douruiv.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\douruiv.exe

Filesize
156KB

MD5
bfe258abca61202e08f82bf5d355fbcb

SHA1
a275c86fc701adea3fd01ecdfa9033a3fb30a93a

SHA256
8b3bcd30e1fddfdd7cc65cc260cfe404d64ef3c9fe191752d9e60842e71b0c37

SHA512
8b24deae57cd5460ea557aef75c455ac25a226cbe49b47a02a291864b03e7b64f9954f0600c854ab32c1761bfb770576f6ce67d0a37a89eae9f3a74b63e92bb5

Download Submit
C:\Users\Admin\douruiv.exe

Filesize
156KB

MD5
bfe258abca61202e08f82bf5d355fbcb

SHA1
a275c86fc701adea3fd01ecdfa9033a3fb30a93a

SHA256
8b3bcd30e1fddfdd7cc65cc260cfe404d64ef3c9fe191752d9e60842e71b0c37

SHA512
8b24deae57cd5460ea557aef75c455ac25a226cbe49b47a02a291864b03e7b64f9954f0600c854ab32c1761bfb770576f6ce67d0a37a89eae9f3a74b63e92bb5

Download Submit