b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
Size

216KB
MD5

f5eed679e4ffefd94039f1fec3519b8b
SHA1

d0a00479614e86df6907ab6171c64ce54e4a91a1
SHA256

b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9
SHA512

2c70f4ab6a49e9193ee3a145a29748047e9784705feb2c0cddb8229d02c41213778cfe4f91c0c4d41fd279e1c5143f8435d193ea817d5ab0bcd4736a11a00452
SSDEEP

6144:WCRIpcN4LCdxCvhoyRhU9/YcHpynEsy+XrDvCLRFktgaCoquob4IDQSp+pP1N:WCMccCdxCvhoyRhU9/YcJynEsy+XrDv7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	souhul.exe

Executes dropped EXE 1 IoCs

pid	Process
884	souhul.exe

Loads dropped DLL 2 IoCs

pid	Process
1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /T"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /V"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /P"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /k"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /L"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /Y"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /b"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /a"	souhul.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /Z"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /J"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /U"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /m"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /u"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /e"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /W"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /C"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /x"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /z"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /H"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /g"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /K"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /o"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /Q"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /q"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /h"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /c"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /s"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /F"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /y"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /i"	souhul.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /n"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /S"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /N"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /I"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /v"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /G"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /w"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /d"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /j"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /R"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /A"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /X"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /R"	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /l"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /f"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /O"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /E"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /D"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /t"	souhul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\souhul = "C:\\Users\\Admin\\souhul.exe /M"	souhul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe
884	souhul.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
884	souhul.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 884	1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe	27
PID 1336 wrote to memory of 884	1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe	27
PID 1336 wrote to memory of 884	1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe	27
PID 1336 wrote to memory of 884	1336	b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe	27

C:\Users\Admin\AppData\Local\Temp\b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe
"C:\Users\Admin\AppData\Local\Temp\b3d060397832cf67f53c02cdbb10704985552bc9565952dcefbd5c56c272cbd9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\souhul.exe
  "C:\Users\Admin\souhul.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\souhul.exe

Filesize
216KB

MD5
4d3826483121acea85ef9af7409c7c6d

SHA1
34b9dd634e620df618611441045d1935db8457c1

SHA256
fef15126da1f87e712a097992c3136ad103e02c11c79e474a5389666dda407ff

SHA512
d176ff4794d8e61d6846d477c4e913ccde3a1d89527ec33affa22e272254ebfdde4510668154fb60cb283a6ac91437398107bcfc4f5922da58732ae80cd4fea8

Download Submit
C:\Users\Admin\souhul.exe

Filesize
216KB

MD5
4d3826483121acea85ef9af7409c7c6d

SHA1
34b9dd634e620df618611441045d1935db8457c1

SHA256
fef15126da1f87e712a097992c3136ad103e02c11c79e474a5389666dda407ff

SHA512
d176ff4794d8e61d6846d477c4e913ccde3a1d89527ec33affa22e272254ebfdde4510668154fb60cb283a6ac91437398107bcfc4f5922da58732ae80cd4fea8

Download Submit
\Users\Admin\souhul.exe

Filesize
216KB

MD5
4d3826483121acea85ef9af7409c7c6d

SHA1
34b9dd634e620df618611441045d1935db8457c1

SHA256
fef15126da1f87e712a097992c3136ad103e02c11c79e474a5389666dda407ff

SHA512
d176ff4794d8e61d6846d477c4e913ccde3a1d89527ec33affa22e272254ebfdde4510668154fb60cb283a6ac91437398107bcfc4f5922da58732ae80cd4fea8

Download Submit
\Users\Admin\souhul.exe

Filesize
216KB

MD5
4d3826483121acea85ef9af7409c7c6d

SHA1
34b9dd634e620df618611441045d1935db8457c1

SHA256
fef15126da1f87e712a097992c3136ad103e02c11c79e474a5389666dda407ff

SHA512
d176ff4794d8e61d6846d477c4e913ccde3a1d89527ec33affa22e272254ebfdde4510668154fb60cb283a6ac91437398107bcfc4f5922da58732ae80cd4fea8

Download Submit
memory/1336-56-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download