d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d

Analysis

max time kernel
298s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
Size

280KB
MD5

7521939b5fe634451f9841aabb7a6cd9
SHA1

4a5fd5613193aa83979be564b75a4ef33d928225
SHA256

d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d
SHA512

22a80c656c6054d57be2cd1c8288150560d9fa3557aa8f30b9a532aa9cf9665c6679706a9e771c6edee98877e378652e420c7a7aafb0bc2fa6c3042aadece451
SSDEEP

6144:oEdU/8ACe0K/fObT/bGiWr4YNUeLXKr96Ikd/FwJFBizYu90k36Wi:HdU/t0K/fObT/bGiCOrUIkZFMizYu90J

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vuikey.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe

Executes dropped EXE 1 IoCs

pid	Process
704	vuikey.exe

Loads dropped DLL 2 IoCs

pid	Process
772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /w"	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /U"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /N"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /n"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /Q"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /F"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /A"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /D"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /f"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /p"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /a"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /M"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /S"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /s"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /O"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /E"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /g"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /m"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /i"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /b"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /J"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /u"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /K"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /Y"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /t"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /C"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /R"	vuikey.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /V"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /d"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /B"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /r"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /q"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /w"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /L"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /e"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /o"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /v"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /k"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /P"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /Z"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /W"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /h"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /I"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /G"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /j"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /l"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /x"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /X"	vuikey.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuikey = "C:\\Users\\Admin\\vuikey.exe /c"	vuikey.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe
704	vuikey.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
704	vuikey.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 704	772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe	27
PID 772 wrote to memory of 704	772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe	27
PID 772 wrote to memory of 704	772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe	27
PID 772 wrote to memory of 704	772	d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe	27

C:\Users\Admin\AppData\Local\Temp\d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe
"C:\Users\Admin\AppData\Local\Temp\d2c59f11b94fcbf38199956299a981465304313fe84480275a1140afa8c1758d.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\vuikey.exe
  "C:\Users\Admin\vuikey.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vuikey.exe

Filesize
280KB

MD5
6df3772a41e3f3fde1b72acd95a519f0

SHA1
3f7ef4fa6693f32fa3a932482641d6e48fc746a7

SHA256
d6004cdb5732b7935687ec3368403262689732b4e7517bc2ab35870ffb585e50

SHA512
a0e7e040c10bed4014cc36cb561115a7d292626644168675bf782e9be8a3452dc005219fde0df9a204a008373d5f42e571a7fecb80a5273459fb4f8301ea29ca

Download Submit
C:\Users\Admin\vuikey.exe

Filesize
280KB

MD5
6df3772a41e3f3fde1b72acd95a519f0

SHA1
3f7ef4fa6693f32fa3a932482641d6e48fc746a7

SHA256
d6004cdb5732b7935687ec3368403262689732b4e7517bc2ab35870ffb585e50

SHA512
a0e7e040c10bed4014cc36cb561115a7d292626644168675bf782e9be8a3452dc005219fde0df9a204a008373d5f42e571a7fecb80a5273459fb4f8301ea29ca

Download Submit
\Users\Admin\vuikey.exe

Filesize
280KB

MD5
6df3772a41e3f3fde1b72acd95a519f0

SHA1
3f7ef4fa6693f32fa3a932482641d6e48fc746a7

SHA256
d6004cdb5732b7935687ec3368403262689732b4e7517bc2ab35870ffb585e50

SHA512
a0e7e040c10bed4014cc36cb561115a7d292626644168675bf782e9be8a3452dc005219fde0df9a204a008373d5f42e571a7fecb80a5273459fb4f8301ea29ca

Download Submit
\Users\Admin\vuikey.exe

Filesize
280KB

MD5
6df3772a41e3f3fde1b72acd95a519f0

SHA1
3f7ef4fa6693f32fa3a932482641d6e48fc746a7

SHA256
d6004cdb5732b7935687ec3368403262689732b4e7517bc2ab35870ffb585e50

SHA512
a0e7e040c10bed4014cc36cb561115a7d292626644168675bf782e9be8a3452dc005219fde0df9a204a008373d5f42e571a7fecb80a5273459fb4f8301ea29ca

Download Submit
memory/704-59-0x0000000000000000-mapping.dmp

Download
memory/772-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download