bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a

General

Target

bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
Size

80KB
MD5

3a4d8dc36f3da894862ed51a24ee8f7f
SHA1

1efe247fdc7946983d1f589de70babeca50f14eb
SHA256

bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a
SHA512

9b1f92b2c025f4e80345d7699dcf86517bf6678a55c203e59ab56f98daf2183859fcfb370693bb83af92cea1637dbea9da54e149c6ce18f97e842c6658ed2e2b
SSDEEP

1536:kXmto4DFyF8e/O+TtSv6DhjFEA5n6qtvmzrRptAi858J8MGu143i6E5T:G4nNT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	veoyu.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	veoyu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /k"	veoyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /q"	veoyu.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /j"	veoyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /x"	veoyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /o"	veoyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /h"	veoyu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veoyu = "C:\\Users\\Admin\\veoyu.exe /h"	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	veoyu.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BD944EBA-441B-4040-9258-22BEB5ED75A7}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{59CB7784-D46E-4B35-B376-56872B69A0E5}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe
2352	veoyu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
2352	veoyu.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2352	2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe	75
PID 2228 wrote to memory of 2352	2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe	75
PID 2228 wrote to memory of 2352	2228	bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe	75

C:\Users\Admin\AppData\Local\Temp\bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe
"C:\Users\Admin\AppData\Local\Temp\bbea0f9fffb90967c5d778d5b580f9d86135e2f080345843920486658488fa1a.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\veoyu.exe
  "C:\Users\Admin\veoyu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\veoyu.exe

Filesize
80KB

MD5
ac8d0a592354c07d4c3296bbb6afde60

SHA1
21494861b32b6d9da3a766e83167751e7969c71e

SHA256
a4c1b1c4ac84979434d5f6b5c214f1f7225551a58670b1cc34a05681755570b3

SHA512
4b9c99fb3dc03c13d4a26a5b0e40a422bb2cc095adeacb04e2ccdacc44ba5b971d08143a74e8003c17fefab53d55852f099a6a75ce7ae16cc616038194502063

Download Submit
C:\Users\Admin\veoyu.exe

Filesize
80KB

MD5
ac8d0a592354c07d4c3296bbb6afde60

SHA1
21494861b32b6d9da3a766e83167751e7969c71e

SHA256
a4c1b1c4ac84979434d5f6b5c214f1f7225551a58670b1cc34a05681755570b3

SHA512
4b9c99fb3dc03c13d4a26a5b0e40a422bb2cc095adeacb04e2ccdacc44ba5b971d08143a74e8003c17fefab53d55852f099a6a75ce7ae16cc616038194502063

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads