Analysis
-
max time kernel
165s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe
-
Size
135KB
-
MD5
4ab5b40249eee078e2ddb37f2f901660
-
SHA1
cbdb30321ed14f94042df3ea6b9091acd72f4fa6
-
SHA256
db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e
-
SHA512
10073491ce86d17849f1ca7cae386f00f7509b5661b25a2dace6345bc2b01cba0686a3c99407fe8e57ba1887fafc502033cc9bcec6db0d530802775fb98e3dfa
-
SSDEEP
3072:KAaJdc3VsweCeXRzeSeVeEe0eDQ8jrTrm:raJdc3VsZR3Q8jrTr
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" teubu.exe -
Executes dropped EXE 1 IoCs
pid Process 3132 teubu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ teubu.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teubu = "C:\\Users\\Admin\\teubu.exe" teubu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe 3132 teubu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2568 db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe 3132 teubu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 3132 2568 db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe 83 PID 2568 wrote to memory of 3132 2568 db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe 83 PID 2568 wrote to memory of 3132 2568 db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe 83 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81 PID 3132 wrote to memory of 2568 3132 teubu.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe"C:\Users\Admin\AppData\Local\Temp\db3cce7ac2518914afbea516e9968757046f028c4fee92617e082a45c589383e.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\teubu.exe"C:\Users\Admin\teubu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD585f441895967ffd386c452c6c35c0450
SHA1ac6e690deb3dbf6d5f7cf5d19f631d4eb1bb617e
SHA256a94dd468b271787567903518df3795fef914abc8db743c6135d54e301ea632c4
SHA512a870f12afd4c6d77747c7ee19a932a0c2ef890932188cbd9adbb914d19ea2b3ee7c188dacb671123d8a4c8b3c996b62ec377d52d4313e715774f7f83f2ae2539
-
Filesize
135KB
MD585f441895967ffd386c452c6c35c0450
SHA1ac6e690deb3dbf6d5f7cf5d19f631d4eb1bb617e
SHA256a94dd468b271787567903518df3795fef914abc8db743c6135d54e301ea632c4
SHA512a870f12afd4c6d77747c7ee19a932a0c2ef890932188cbd9adbb914d19ea2b3ee7c188dacb671123d8a4c8b3c996b62ec377d52d4313e715774f7f83f2ae2539