88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e

Analysis

max time kernel
237s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
Size

232KB
MD5

0b567b9b3e501cc33378112d785d3f1b
SHA1

512cf0c8a070d24f8c14f40f235b7b3c7b89be0c
SHA256

88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e
SHA512

51b8109fbb9ad6e71fea9621d64b858373d92f646e088700605b71fec6d8cefc90c34a68cb198e64284ee6c0517ce3793e0612289cccd6c9f06240da3303e88e
SSDEEP

6144:y23PFKs78g2KyEOaWEqxF6snji81RUinKdNObY:/Ph+mF9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reesia.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	reesia.exe

Loads dropped DLL 2 IoCs

pid	Process
1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /j"	reesia.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /z"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /w"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /v"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /k"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /x"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /n"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /c"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /s"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /p"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /r"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /g"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /u"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /t"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /m"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /h"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /e"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /o"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /b"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /d"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /i"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /y"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /a"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /a"	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /f"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /q"	reesia.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\reesia = "C:\\Users\\Admin\\reesia.exe /l"	reesia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe
1160	reesia.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
1160	reesia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1160	1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe	28
PID 1164 wrote to memory of 1160	1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe	28
PID 1164 wrote to memory of 1160	1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe	28
PID 1164 wrote to memory of 1160	1164	88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe	28

C:\Users\Admin\AppData\Local\Temp\88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe
"C:\Users\Admin\AppData\Local\Temp\88b706949ba5a180d20e8b4291bd2de98b87f62bfe8a74181ebe8f533dddd91e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\reesia.exe
  "C:\Users\Admin\reesia.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\reesia.exe

Filesize
232KB

MD5
375a08baf6305972d8c4bf1d68eef653

SHA1
78d2436f9835ee8ff61fc5cb0a6c1acfdbb466b0

SHA256
853843a59b2e43bc6338ae1478b1b333fe78b1bff609fb276af1c866e19c8bdb

SHA512
aff63993ba5c93fa405b33e5e3b85a953d2198937f60a6789b22786eb94e9c4c5a812ace3eeec4c683790652f5595a199e408b4da4f13ebb27e86cea237f2da5

Download Submit
C:\Users\Admin\reesia.exe

Filesize
232KB

MD5
375a08baf6305972d8c4bf1d68eef653

SHA1
78d2436f9835ee8ff61fc5cb0a6c1acfdbb466b0

SHA256
853843a59b2e43bc6338ae1478b1b333fe78b1bff609fb276af1c866e19c8bdb

SHA512
aff63993ba5c93fa405b33e5e3b85a953d2198937f60a6789b22786eb94e9c4c5a812ace3eeec4c683790652f5595a199e408b4da4f13ebb27e86cea237f2da5

Download Submit
\Users\Admin\reesia.exe

Filesize
232KB

MD5
375a08baf6305972d8c4bf1d68eef653

SHA1
78d2436f9835ee8ff61fc5cb0a6c1acfdbb466b0

SHA256
853843a59b2e43bc6338ae1478b1b333fe78b1bff609fb276af1c866e19c8bdb

SHA512
aff63993ba5c93fa405b33e5e3b85a953d2198937f60a6789b22786eb94e9c4c5a812ace3eeec4c683790652f5595a199e408b4da4f13ebb27e86cea237f2da5

Download Submit
\Users\Admin\reesia.exe

Filesize
232KB

MD5
375a08baf6305972d8c4bf1d68eef653

SHA1
78d2436f9835ee8ff61fc5cb0a6c1acfdbb466b0

SHA256
853843a59b2e43bc6338ae1478b1b333fe78b1bff609fb276af1c866e19c8bdb

SHA512
aff63993ba5c93fa405b33e5e3b85a953d2198937f60a6789b22786eb94e9c4c5a812ace3eeec4c683790652f5595a199e408b4da4f13ebb27e86cea237f2da5

Download Submit
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1164-56-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download