5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
Size

296KB
MD5

08859369ad05d2c04e157ea1452bf020
SHA1

311a797edf9b7d48de09cf0a4d8f77337b22bf50
SHA256

5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198
SHA512

864be52209515626bb735f6323e3fa90dc60ab7499b242acaf6ceafabc8a561475bb1a2994e77e59844b2e78cec5445a855e4b2d1941caf342102dfb62fc8f42
SSDEEP

3072:IP8eHbzh7sAFEouHwbBAW4hXNzcd6HFfak/K4jaU3bxTlGb:IEkz/FEouH+BAi4HFfAgLpQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	viutuv.exe

Executes dropped EXE 1 IoCs

pid	Process
968	viutuv.exe

Loads dropped DLL 2 IoCs

pid	Process
360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /X"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /R"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /r"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /H"	viutuv.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /h"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /Q"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /n"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /e"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /z"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /E"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /i"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /c"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /o"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /V"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /K"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /M"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /a"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /J"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /q"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /F"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /d"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /w"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /Y"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /Z"	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /m"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /A"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /B"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /u"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /C"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /v"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /p"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /s"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /j"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /y"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /Z"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /x"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /f"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /L"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /N"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /k"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /S"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /W"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /U"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /T"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /l"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /P"	viutuv.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /g"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /D"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /G"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /I"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /t"	viutuv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\viutuv = "C:\\Users\\Admin\\viutuv.exe /O"	viutuv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe
968	viutuv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
968	viutuv.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 968	360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe	27
PID 360 wrote to memory of 968	360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe	27
PID 360 wrote to memory of 968	360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe	27
PID 360 wrote to memory of 968	360	5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe	27

C:\Users\Admin\AppData\Local\Temp\5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe
"C:\Users\Admin\AppData\Local\Temp\5931c43dabd4420d65dc0ba5dc701c6ccba4e8396166226c3f020ad0d71e2198.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\viutuv.exe
  "C:\Users\Admin\viutuv.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\viutuv.exe

Filesize
296KB

MD5
ecbb29515eedf0d3371276a537bd16cd

SHA1
e7f617afa1488dc9dac1500ec7d5ae9e560fff6d

SHA256
ba417da358fd219a443ac99eceeaa3ef2fcfb30c96144a42606f88555037ccc2

SHA512
dd81d1d42891c9aa6fad6ba22739050924953df7ce50287acdbbd600be44e64e45fc8203e5b94fc6731ecc823dfdac80b62ec98c7fce07035d7d0b6016e6cb7c

Download Submit
C:\Users\Admin\viutuv.exe

Filesize
296KB

MD5
ecbb29515eedf0d3371276a537bd16cd

SHA1
e7f617afa1488dc9dac1500ec7d5ae9e560fff6d

SHA256
ba417da358fd219a443ac99eceeaa3ef2fcfb30c96144a42606f88555037ccc2

SHA512
dd81d1d42891c9aa6fad6ba22739050924953df7ce50287acdbbd600be44e64e45fc8203e5b94fc6731ecc823dfdac80b62ec98c7fce07035d7d0b6016e6cb7c

Download Submit
\Users\Admin\viutuv.exe

Filesize
296KB

MD5
ecbb29515eedf0d3371276a537bd16cd

SHA1
e7f617afa1488dc9dac1500ec7d5ae9e560fff6d

SHA256
ba417da358fd219a443ac99eceeaa3ef2fcfb30c96144a42606f88555037ccc2

SHA512
dd81d1d42891c9aa6fad6ba22739050924953df7ce50287acdbbd600be44e64e45fc8203e5b94fc6731ecc823dfdac80b62ec98c7fce07035d7d0b6016e6cb7c

Download Submit
\Users\Admin\viutuv.exe

Filesize
296KB

MD5
ecbb29515eedf0d3371276a537bd16cd

SHA1
e7f617afa1488dc9dac1500ec7d5ae9e560fff6d

SHA256
ba417da358fd219a443ac99eceeaa3ef2fcfb30c96144a42606f88555037ccc2

SHA512
dd81d1d42891c9aa6fad6ba22739050924953df7ce50287acdbbd600be44e64e45fc8203e5b94fc6731ecc823dfdac80b62ec98c7fce07035d7d0b6016e6cb7c

Download Submit
memory/360-56-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download