Analysis
-
max time kernel
193s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2022, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe
-
Size
224KB
-
MD5
f528102f02d6f25ebcae2dda8b14092c
-
SHA1
2078db01e24b8176c2fc74961e4cd540a22da1be
-
SHA256
37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e
-
SHA512
8f93bf33c1c5d96eb071d8aef6b636ab74a00e711bdec4b45446ee4b94b8987ecd072525be49c735afc591d8ae525b80faa1a51eb8552a36fb39a761aab30ab8
-
SSDEEP
3072:V3Qivz5sMCKfvhd+V4SHsd8HYXfg23Qbb6oKWI8kHU5AHP:VgjKn+GKs5Xfmb6NWI8k05cP
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" youowi.exe -
Executes dropped EXE 1 IoCs
pid Process 4260 youowi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /z" 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /a" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /w" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /h" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /d" youowi.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /s" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /b" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /u" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /r" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /c" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /t" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /j" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /g" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /p" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /m" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /x" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /k" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /n" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /z" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /v" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /i" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /q" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /l" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /f" youowi.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /o" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /y" youowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\youowi = "C:\\Users\\Admin\\youowi.exe /e" youowi.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 youowi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum youowi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe 4260 youowi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 4260 youowi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1676 wrote to memory of 4260 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 83 PID 1676 wrote to memory of 4260 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 83 PID 1676 wrote to memory of 4260 1676 37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe"C:\Users\Admin\AppData\Local\Temp\37aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\youowi.exe"C:\Users\Admin\youowi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4260
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
- Modifies registry class
PID:4352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5f528102f02d6f25ebcae2dda8b14092c
SHA12078db01e24b8176c2fc74961e4cd540a22da1be
SHA25637aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e
SHA5128f93bf33c1c5d96eb071d8aef6b636ab74a00e711bdec4b45446ee4b94b8987ecd072525be49c735afc591d8ae525b80faa1a51eb8552a36fb39a761aab30ab8
-
Filesize
224KB
MD5f528102f02d6f25ebcae2dda8b14092c
SHA12078db01e24b8176c2fc74961e4cd540a22da1be
SHA25637aa818c56f3b525cd2ef70b020da866ad707449860c3b7b6b1b654935653c5e
SHA5128f93bf33c1c5d96eb071d8aef6b636ab74a00e711bdec4b45446ee4b94b8987ecd072525be49c735afc591d8ae525b80faa1a51eb8552a36fb39a761aab30ab8