d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2

Analysis

max time kernel
190s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
Size

128KB
MD5

cd4e753034a975044e480b8428d30687
SHA1

726a772f4cec923d28c920c161cea0d223adcf43
SHA256

d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2
SHA512

dffdc6c276a443e4b170d2e21ddcfe4c67c5eec6a8e9bc6dff35bb9c2f6605fe3678d71701de33aa5590612d9142d19398600a15287f034b39d02634e8df9629
SSDEEP

3072:eDyjSDvi4wwDCXcsTlyrGn8Dq7E0zQL16Yirqn5zd32C:ktwwDMpErGnWq7E0zQL3i2n5zd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	muayau.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe

Executes dropped EXE 1 IoCs

pid	Process
1796	muayau.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /i"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /w"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /f"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /g"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /b"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /m"	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /q"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /h"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /e"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /p"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /m"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /z"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /s"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /c"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /o"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /n"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /l"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /a"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /k"	muayau.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /r"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /j"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /d"	muayau.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /u"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /y"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /t"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /v"	muayau.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muayau = "C:\\Users\\Admin\\muayau.exe /x"	muayau.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3916	2936	WerFault.exe	66
5084	4176	WerFault.exe	86
4172	4176	WerFault.exe	86

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4176	svchost.exe
2984	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe
1796	muayau.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
1796	muayau.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1796	4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe	89
PID 4256 wrote to memory of 1796	4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe	89
PID 4256 wrote to memory of 1796	4256	d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe	89

C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe
"C:\Users\Admin\AppData\Local\Temp\d130579dcc242543487c7e8bb03fa5f09cdf88c77ec70c680872fdf0e2d648c2.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Users\Admin\muayau.exe
  "C:\Users\Admin\muayau.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1796

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2936 -ip 2936
1⤵
PID:3052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2936 -s 1076
1⤵
- Program crash
PID:3916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4176
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4176 -s 2032
  2⤵
  - Program crash
  PID:5084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4176 -s 1968
  2⤵
  - Program crash
  PID:4172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4176 -ip 4176
1⤵
PID:4416

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 4176 -ip 4176
1⤵
PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:2984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\muayau.exe

Filesize
128KB

MD5
cad9adb2b63a606b060b78299dddf9bc

SHA1
14d46a5f4a9c2d2456cea95175c5834dfdd565ac

SHA256
c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c

SHA512
01b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e

Download Submit
C:\Users\Admin\muayau.exe

Filesize
128KB

MD5
cad9adb2b63a606b060b78299dddf9bc

SHA1
14d46a5f4a9c2d2456cea95175c5834dfdd565ac

SHA256
c2331e6486e00a35a5994d544dba96605288870dd346bdd8f64e87932fdc503c

SHA512
01b25e80e83b1b8a2de22881cc131712632994de082d4796a3c043ba698ad4c8a78007b95f022ddb49b8c1fff68c8efe7de0daa6b92d25cf86cfb4beb440384e

Download Submit
memory/1796-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4256-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4256-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download