Analysis
-
max time kernel
152s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 19:11
Static task
static1
Behavioral task
behavioral1
Sample
c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe
-
Size
88KB
-
MD5
0cac74ccf1e802cac120c822adae5078
-
SHA1
92c878106fb06b3acb91998aafb0690ae5738850
-
SHA256
c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c
-
SHA512
33c8af2c13c77e5b36442af090a0789c6f7f93f680d6d7268eb6fb7ba110e11791f5dab0061f454631cfb6b630569286d3c7ffbdb6f5cb87af4ca4b64afd42ca
-
SSDEEP
768:ZDFI+tORaaq2AOa6TnwVDZ1RO8YSEQJt1H7a8jFk+Zxqfcw1x2:TIQu7YzDZ16SEQJjZx0cw1x
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" maunis.exe -
Executes dropped EXE 1 IoCs
pid Process 1492 maunis.exe -
Loads dropped DLL 2 IoCs
pid Process 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /q" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /c" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /G" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /w" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /F" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /f" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /g" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /I" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /N" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /e" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /M" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /K" maunis.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /v" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /J" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /s" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /x" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /y" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /O" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /Y" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /n" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /u" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /Q" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /h" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /W" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /U" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /B" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /b" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /S" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /C" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /d" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /j" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /p" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /H" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /k" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /A" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /i" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /L" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /X" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /t" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /R" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /P" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /E" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /T" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /r" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /m" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /z" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /Z" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /a" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /o" maunis.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\maunis = "C:\\Users\\Admin\\maunis.exe /V" maunis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe 1492 maunis.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 1492 maunis.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 608 wrote to memory of 1492 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 28 PID 608 wrote to memory of 1492 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 28 PID 608 wrote to memory of 1492 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 28 PID 608 wrote to memory of 1492 608 c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe 28 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12 PID 1492 wrote to memory of 608 1492 maunis.exe 12
Processes
-
C:\Users\Admin\AppData\Local\Temp\c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe"C:\Users\Admin\AppData\Local\Temp\c27558daab3cd27fbc9c9543dbf648047d6790c6bd3558e8adb0e639738e6d8c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\maunis.exe"C:\Users\Admin\maunis.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD5e323926a1149e6bee3f535f57c9969d5
SHA10cf9625c2264915d6685a179ef78a50fe0f654dd
SHA2565767bf1bd54c51a7b7ab06d2237d4b0af14e62f897eca243d3e0f95a50c9ad3a
SHA51226fcb37ddd2041fe5728ca3ef3245f96823a12c3242b21866a2d31759927609efaf41f49725b5e9606857179378040d1888bdf8514738b306089a2bd24e991d2
-
Filesize
88KB
MD5e323926a1149e6bee3f535f57c9969d5
SHA10cf9625c2264915d6685a179ef78a50fe0f654dd
SHA2565767bf1bd54c51a7b7ab06d2237d4b0af14e62f897eca243d3e0f95a50c9ad3a
SHA51226fcb37ddd2041fe5728ca3ef3245f96823a12c3242b21866a2d31759927609efaf41f49725b5e9606857179378040d1888bdf8514738b306089a2bd24e991d2
-
Filesize
88KB
MD5e323926a1149e6bee3f535f57c9969d5
SHA10cf9625c2264915d6685a179ef78a50fe0f654dd
SHA2565767bf1bd54c51a7b7ab06d2237d4b0af14e62f897eca243d3e0f95a50c9ad3a
SHA51226fcb37ddd2041fe5728ca3ef3245f96823a12c3242b21866a2d31759927609efaf41f49725b5e9606857179378040d1888bdf8514738b306089a2bd24e991d2
-
Filesize
88KB
MD5e323926a1149e6bee3f535f57c9969d5
SHA10cf9625c2264915d6685a179ef78a50fe0f654dd
SHA2565767bf1bd54c51a7b7ab06d2237d4b0af14e62f897eca243d3e0f95a50c9ad3a
SHA51226fcb37ddd2041fe5728ca3ef3245f96823a12c3242b21866a2d31759927609efaf41f49725b5e9606857179378040d1888bdf8514738b306089a2bd24e991d2