a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65

Analysis

max time kernel
151s
max time network
70s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
Size

124KB
MD5

52d197a8f2403b7cd836dc265b72a988
SHA1

3407489236adab68e5e148aa4d3ab3b0c18117be
SHA256

a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65
SHA512

3087cb8caa73499283f6522e4d1597674e01c72a0566ab34de46c4fee4e49df0ffdacd49769a600e8db82120bd8fdde59263eaa95eed49dd724103c3970b6849
SSDEEP

3072:ICMQBK3vXvOG2RdYjH08qdLxilMiyfwAfGxMwE:5M2K3vXWG4mzQLxilMiyfwAfGx

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	poaubi.exe

Executes dropped EXE 1 IoCs

pid	Process
772	poaubi.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /F"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /V"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /a"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /u"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /b"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /P"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /f"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /e"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /Q"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /i"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /O"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /I"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /B"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /s"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /w"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /n"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /j"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /v"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /J"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /u"	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /o"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /G"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /m"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /l"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /Z"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /M"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /R"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /Y"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /N"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /H"	poaubi.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /g"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /y"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /c"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /L"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /K"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /A"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /q"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /z"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /p"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /X"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /S"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /C"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /T"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /h"	poaubi.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /k"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /d"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /W"	poaubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\poaubi = "C:\\Users\\Admin\\poaubi.exe /r"	poaubi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe
772	poaubi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
772	poaubi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 772	2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe	28
PID 2028 wrote to memory of 772	2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe	28
PID 2028 wrote to memory of 772	2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe	28
PID 2028 wrote to memory of 772	2028	a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe	28

C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe
"C:\Users\Admin\AppData\Local\Temp\a7b1d62487fe32951ea323c697d16c21e91ad09d76149a501e168a410abe4d65.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\poaubi.exe
  "C:\Users\Admin\poaubi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\poaubi.exe

Filesize
124KB

MD5
e21f0169e7b82f6a6892b99e0086af84

SHA1
a9d89551fae7e0e18708d6b03eaca3a825644103

SHA256
362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

SHA512
788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

Download Submit
C:\Users\Admin\poaubi.exe

Filesize
124KB

MD5
e21f0169e7b82f6a6892b99e0086af84

SHA1
a9d89551fae7e0e18708d6b03eaca3a825644103

SHA256
362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

SHA512
788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

Download Submit
\Users\Admin\poaubi.exe

Filesize
124KB

MD5
e21f0169e7b82f6a6892b99e0086af84

SHA1
a9d89551fae7e0e18708d6b03eaca3a825644103

SHA256
362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

SHA512
788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

Download Submit
\Users\Admin\poaubi.exe

Filesize
124KB

MD5
e21f0169e7b82f6a6892b99e0086af84

SHA1
a9d89551fae7e0e18708d6b03eaca3a825644103

SHA256
362c502399f58015cbc0f424b8223c5ada4d6db496b17516acae89900b5d84b8

SHA512
788bbbedb0e498cfc4547bf913af1d9e658b7fa4fecea035322e2b87a4a79a1e7d41dfde5049431831d3c80f0ed587695c5f24ef094206244cb33f76c97c2894

Download Submit
memory/2028-56-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download