a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43

General

Target

a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe
Size

63KB
MD5

1fe85158282000e20534413acbce8e30
SHA1

54a34e0d87119f55d7c14f6a88003882612918fe
SHA256

a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43
SHA512

88753a4b9a0b8a67dd67b8353f29649a0dea3913ccabd88d2923515ac892b6ebf0e48016771de710ecdb7fdd3a8e2ec8ab384bc792366c00bcda1fa7dd7cc8a2
SSDEEP

768:TOfEWgIYBoJeQylDUV8NUIu0oWsV1qaZIp/Bj7YcRpaSOovHYxtxdvO:S+z1lMzGs1stvHYxtH2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	muajiy.exe

Executes dropped EXE 1 IoCs

pid	Process
892	muajiy.exe

Loads dropped DLL 2 IoCs

pid	Process
960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe
960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	muajiy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\muajiy = "C:\\Users\\Admin\\muajiy.exe"	muajiy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
892	muajiy.exe
892	muajiy.exe
892	muajiy.exe
892	muajiy.exe
892	muajiy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe
892	muajiy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 892	960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe	28
PID 960 wrote to memory of 892	960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe	28
PID 960 wrote to memory of 892	960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe	28
PID 960 wrote to memory of 892	960	a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe	28
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27
PID 892 wrote to memory of 960	892	muajiy.exe	27

C:\Users\Admin\AppData\Local\Temp\a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe
"C:\Users\Admin\AppData\Local\Temp\a3bf8e32d300c8c6b7901eef3dcc82e47ca168336a91e8f1731d9f7ddba19c43.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\muajiy.exe
  "C:\Users\Admin\muajiy.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\muajiy.exe

Filesize
63KB

MD5
7c617672c1a02c09bdff3906b89d1bca

SHA1
3ed7f0bd427b78d60fd5a6de0559e2abe5f7e897

SHA256
f6eed8f75e72ce0106513e34b7a04dad9b1c5a60b424309f24c8ad835c41000b

SHA512
9caa2a1d1a5e8f4069eb6d8ddae8e249daf9e8ecde7ecd84cd856d9fe2c7b57ae88405b9f7b265edff5c5eaecd3a39a8a8354ea38570ba7218a5829991f3a157

Download Submit
C:\Users\Admin\muajiy.exe

Filesize
63KB

MD5
7c617672c1a02c09bdff3906b89d1bca

SHA1
3ed7f0bd427b78d60fd5a6de0559e2abe5f7e897

SHA256
f6eed8f75e72ce0106513e34b7a04dad9b1c5a60b424309f24c8ad835c41000b

SHA512
9caa2a1d1a5e8f4069eb6d8ddae8e249daf9e8ecde7ecd84cd856d9fe2c7b57ae88405b9f7b265edff5c5eaecd3a39a8a8354ea38570ba7218a5829991f3a157

Download Submit
\Users\Admin\muajiy.exe

Filesize
63KB

MD5
7c617672c1a02c09bdff3906b89d1bca

SHA1
3ed7f0bd427b78d60fd5a6de0559e2abe5f7e897

SHA256
f6eed8f75e72ce0106513e34b7a04dad9b1c5a60b424309f24c8ad835c41000b

SHA512
9caa2a1d1a5e8f4069eb6d8ddae8e249daf9e8ecde7ecd84cd856d9fe2c7b57ae88405b9f7b265edff5c5eaecd3a39a8a8354ea38570ba7218a5829991f3a157

Download Submit
\Users\Admin\muajiy.exe

Filesize
63KB

MD5
7c617672c1a02c09bdff3906b89d1bca

SHA1
3ed7f0bd427b78d60fd5a6de0559e2abe5f7e897

SHA256
f6eed8f75e72ce0106513e34b7a04dad9b1c5a60b424309f24c8ad835c41000b

SHA512
9caa2a1d1a5e8f4069eb6d8ddae8e249daf9e8ecde7ecd84cd856d9fe2c7b57ae88405b9f7b265edff5c5eaecd3a39a8a8354ea38570ba7218a5829991f3a157

Download Submit
memory/960-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads