a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
Size

84KB
MD5

94f415d41857200d6b7dc748e8f112d7
SHA1

b262bba105eb45b88b8937943b8a0b7d16de8747
SHA256

a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8
SHA512

7d94a71ae0b1c538278b2433fac04f3e764987be14e3e229bb526833ac251370fcc78e57482b93a7b259f00b8f05fd0fdb53ec2de70e56503f47b0cd9d05ba3b
SSDEEP

1536:v88yTb7bg4htUVGLG/wXJYeUj27dTGHq13i6E:0vUVeG/wXJY527Y

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tuoyum.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe

Executes dropped EXE 1 IoCs

pid	Process
2040	tuoyum.exe

Loads dropped DLL 2 IoCs

pid	Process
1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /w"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /u"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /j"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /s"	tuoyum.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /i"	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /r"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /m"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /d"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /k"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /h"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /v"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /l"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /t"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /y"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /c"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /o"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /g"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /a"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /x"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /b"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /e"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /p"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /z"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /n"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /i"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /q"	tuoyum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuoyum = "C:\\Users\\Admin\\tuoyum.exe /f"	tuoyum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe
2040	tuoyum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
2040	tuoyum.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2040	1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe	27
PID 1488 wrote to memory of 2040	1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe	27
PID 1488 wrote to memory of 2040	1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe	27
PID 1488 wrote to memory of 2040	1488	a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe	27

C:\Users\Admin\AppData\Local\Temp\a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe
"C:\Users\Admin\AppData\Local\Temp\a632ec32237374a4c48d657e3a35af4f59e61704bd9bff5bdf8fd8716a0f34c8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\tuoyum.exe
  "C:\Users\Admin\tuoyum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tuoyum.exe

Filesize
84KB

MD5
e8bd90db8fab77a75bea75639fb02320

SHA1
902174b3457c80f149282971524866c96c99a894

SHA256
f52de204b53e5f19f030ff3d1cfc35f5609b1dd2c6b1a31320eecb028ec82fe8

SHA512
04c7a2a8966d74245b2e975a084f98c1667d05a0365760cc1ba0be6f898376bfdb671ece671f5041e52192cf0fc51bc0212aa08af37a2e4296e00e0ae4b49f50

Download Submit
C:\Users\Admin\tuoyum.exe

Filesize
84KB

MD5
e8bd90db8fab77a75bea75639fb02320

SHA1
902174b3457c80f149282971524866c96c99a894

SHA256
f52de204b53e5f19f030ff3d1cfc35f5609b1dd2c6b1a31320eecb028ec82fe8

SHA512
04c7a2a8966d74245b2e975a084f98c1667d05a0365760cc1ba0be6f898376bfdb671ece671f5041e52192cf0fc51bc0212aa08af37a2e4296e00e0ae4b49f50

Download Submit
\Users\Admin\tuoyum.exe

Filesize
84KB

MD5
e8bd90db8fab77a75bea75639fb02320

SHA1
902174b3457c80f149282971524866c96c99a894

SHA256
f52de204b53e5f19f030ff3d1cfc35f5609b1dd2c6b1a31320eecb028ec82fe8

SHA512
04c7a2a8966d74245b2e975a084f98c1667d05a0365760cc1ba0be6f898376bfdb671ece671f5041e52192cf0fc51bc0212aa08af37a2e4296e00e0ae4b49f50

Download Submit
\Users\Admin\tuoyum.exe

Filesize
84KB

MD5
e8bd90db8fab77a75bea75639fb02320

SHA1
902174b3457c80f149282971524866c96c99a894

SHA256
f52de204b53e5f19f030ff3d1cfc35f5609b1dd2c6b1a31320eecb028ec82fe8

SHA512
04c7a2a8966d74245b2e975a084f98c1667d05a0365760cc1ba0be6f898376bfdb671ece671f5041e52192cf0fc51bc0212aa08af37a2e4296e00e0ae4b49f50

Download Submit
memory/1488-56-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download