b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745

Analysis

max time kernel
170s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
Size

240KB
MD5

79515c3a10a780585e845cc58adb30f6
SHA1

7aeb539ce6a22a5bf58a4c880e28c3061dd2a589
SHA256

b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745
SHA512

846cf1447c94188f68efb0a78db0db34ad06464cb0212b6577e3e9f0849eb738b65dd42ef9de7acd4c584e9df3e41160ac12a304d91cf9bee11f1ba1d5885c3d
SSDEEP

6144:Eq43dwqsNTNEXGlQRayEqxF6snji81RUinKq3aEEDliDfi:EtdQKj3aEEwe

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gauvaz.exe

Executes dropped EXE 1 IoCs

pid	Process
4960	gauvaz.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /a"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /i"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /u"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /e"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /t"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /b"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /c"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /l"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /r"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /h"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /f"	gauvaz.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /d"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /y"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /m"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /s"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /z"	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /k"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /n"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /q"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /z"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /x"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /j"	gauvaz.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /w"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /g"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /o"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /p"	gauvaz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gauvaz = "C:\\Users\\Admin\\gauvaz.exe /v"	gauvaz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe
4960	gauvaz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
4960	gauvaz.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 4960	1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe	79
PID 1988 wrote to memory of 4960	1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe	79
PID 1988 wrote to memory of 4960	1988	b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe	79

C:\Users\Admin\AppData\Local\Temp\b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe
"C:\Users\Admin\AppData\Local\Temp\b5561fa02779219e6105dac908090cc541abcacd61fb9ecedcf7909ab2fe0745.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\gauvaz.exe
  "C:\Users\Admin\gauvaz.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gauvaz.exe

Filesize
240KB

MD5
52124a0869e0e98df6edd21aafc2d05b

SHA1
53c1925e97a013298374dffeb9ba40da1174c890

SHA256
3ee305c5791b47eaa8ba6efb0faa160d315af0f5c623cc8aee1068983c32f51b

SHA512
f32bad189274fd19a4eededb5a803ecb0aa50e812395afa580b8c198ba7da1a1eb7f676f29125328216e37ea3a1ad3f06f45387b8e8fd9977779ccbcb886368d

Download Submit
C:\Users\Admin\gauvaz.exe

Filesize
240KB

MD5
52124a0869e0e98df6edd21aafc2d05b

SHA1
53c1925e97a013298374dffeb9ba40da1174c890

SHA256
3ee305c5791b47eaa8ba6efb0faa160d315af0f5c623cc8aee1068983c32f51b

SHA512
f32bad189274fd19a4eededb5a803ecb0aa50e812395afa580b8c198ba7da1a1eb7f676f29125328216e37ea3a1ad3f06f45387b8e8fd9977779ccbcb886368d

Download Submit