b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e

Analysis

max time kernel
173s
max time network
71s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
Size

132KB
MD5

e15429cadcff8352d6559600d124c67a
SHA1

16ed1c5d8cf700a9b2edefba119fa262e24cc39e
SHA256

b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e
SHA512

e9a4954e65e3724174f628bcf1ffe94441f1784506709e4a263d75fc394d3fb589e66d736173d97fcedac77efcd73026d64326065fd4eb0e8be2a21a235cada5
SSDEEP

1536:57wVFjb0kWUBtizWywMsK8q72QNSqxAASKrSitUrN4oQ/hKeXsjEFTp+H7:5gLBtiJ772QNPPSK24oQZiEH+H7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	woaisi.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	woaisi.exe

Loads dropped DLL 2 IoCs

pid	Process
1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /J"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /F"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /W"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /N"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /P"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /A"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /d"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /K"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /T"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /s"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /r"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /S"	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /l"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /h"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /C"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /y"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /u"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /m"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /H"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /I"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /Z"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /L"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /M"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /Q"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /x"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /Y"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /z"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /a"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /e"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /k"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /c"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /v"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /E"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /n"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /t"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /S"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /q"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /G"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /o"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /p"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /g"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /B"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /j"	woaisi.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /b"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /f"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /i"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /R"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /U"	woaisi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\woaisi = "C:\\Users\\Admin\\woaisi.exe /D"	woaisi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe
1852	woaisi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
1852	woaisi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1852	1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe	28
PID 1460 wrote to memory of 1852	1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe	28
PID 1460 wrote to memory of 1852	1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe	28
PID 1460 wrote to memory of 1852	1460	b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe	28

C:\Users\Admin\AppData\Local\Temp\b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe
"C:\Users\Admin\AppData\Local\Temp\b8fd9913d659855d7290e9595a164c2d78a5e1f7273990c6fd3a48bc8cf6078e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\woaisi.exe
  "C:\Users\Admin\woaisi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\woaisi.exe

Filesize
132KB

MD5
f2bbd86a6483912522da3398a576beaa

SHA1
e4115cf02607075c3ebe0dd3a3a6d0752e3add6e

SHA256
f30d73ff7a48a11a9a21e078a7e1833e265f584b43f54085cba4ca74cd51cf07

SHA512
dd31683972d9e66343573e26726b3e9ac17945fdd889975d0c97530851e81248987136ea5d89a844fd71f1b53dc8c76918b09ceaaac0bdb6cc8fefa4dcd5feb4

Download Submit
C:\Users\Admin\woaisi.exe

Filesize
132KB

MD5
f2bbd86a6483912522da3398a576beaa

SHA1
e4115cf02607075c3ebe0dd3a3a6d0752e3add6e

SHA256
f30d73ff7a48a11a9a21e078a7e1833e265f584b43f54085cba4ca74cd51cf07

SHA512
dd31683972d9e66343573e26726b3e9ac17945fdd889975d0c97530851e81248987136ea5d89a844fd71f1b53dc8c76918b09ceaaac0bdb6cc8fefa4dcd5feb4

Download Submit
\Users\Admin\woaisi.exe

Filesize
132KB

MD5
f2bbd86a6483912522da3398a576beaa

SHA1
e4115cf02607075c3ebe0dd3a3a6d0752e3add6e

SHA256
f30d73ff7a48a11a9a21e078a7e1833e265f584b43f54085cba4ca74cd51cf07

SHA512
dd31683972d9e66343573e26726b3e9ac17945fdd889975d0c97530851e81248987136ea5d89a844fd71f1b53dc8c76918b09ceaaac0bdb6cc8fefa4dcd5feb4

Download Submit
\Users\Admin\woaisi.exe

Filesize
132KB

MD5
f2bbd86a6483912522da3398a576beaa

SHA1
e4115cf02607075c3ebe0dd3a3a6d0752e3add6e

SHA256
f30d73ff7a48a11a9a21e078a7e1833e265f584b43f54085cba4ca74cd51cf07

SHA512
dd31683972d9e66343573e26726b3e9ac17945fdd889975d0c97530851e81248987136ea5d89a844fd71f1b53dc8c76918b09ceaaac0bdb6cc8fefa4dcd5feb4

Download Submit
memory/1460-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download