Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2023 19:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
Resource
win7-20230831-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe
-
Size
204KB
-
MD5
fb0c71d71ee6d447a5c498cd12f4f050
-
SHA1
c03638ae78e882d1e1b59b5a6654772100bc024b
-
SHA256
3f101c958bf7aaacfcd0a8285595583282ab9a02df2f98367004edda7eaf7763
-
SHA512
410eb5cd3bbb328207a47b42b8d7cd5b92e696af0ef0703e4849578a4892be6214113c44e067544e960dd8c39064d2c9e2c1d476e01b369d3fe4199653ec9fb0
-
SSDEEP
3072:lOmsW8f0tQ9nLHbB9W0c1TqECzR/mkSYGrl9ymgYUWBc:l5hs4QxL7B9W0c1RCzR/fSmlH
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xiiol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe -
Executes dropped EXE 1 IoCs
pid Process 844 xiiol.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /w" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /l" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /s" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /i" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /u" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /x" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /t" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /o" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /g" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /r" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /q" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /a" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /z" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /d" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /y" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /p" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /h" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /v" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /k" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /m" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /j" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /e" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /m" fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /c" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /f" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /n" xiiol.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xiiol = "C:\\Users\\Admin\\xiiol.exe /b" xiiol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe 844 xiiol.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 844 xiiol.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2156 wrote to memory of 844 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 87 PID 2156 wrote to memory of 844 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 87 PID 2156 wrote to memory of 844 2156 fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe"C:\Users\Admin\AppData\Local\Temp\fb0c71d71ee6d447a5c498cd12f4f050_exe32.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\xiiol.exe"C:\Users\Admin\xiiol.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD54af00e60fd8a2a400f89fc593fb874e7
SHA138a7910d77fb4ffb00cb3a5b4840dcf4c49d831a
SHA2565e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814
SHA512b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f
-
Filesize
204KB
MD54af00e60fd8a2a400f89fc593fb874e7
SHA138a7910d77fb4ffb00cb3a5b4840dcf4c49d831a
SHA2565e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814
SHA512b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f
-
Filesize
204KB
MD54af00e60fd8a2a400f89fc593fb874e7
SHA138a7910d77fb4ffb00cb3a5b4840dcf4c49d831a
SHA2565e1bb623669349fe572c02b1d950558a29d71522b68a8cf61cda7b0ba2b35814
SHA512b268cd8904148db717190925468900b98d4911fbb8dda6fb2558801245647cb62c11b01cdde5268dd3c63988f112c9fa2dac057999d92687674bf7755b98104f