009aaeb9c5404de83c8470d233da549bf1fe2849a2262629eac58110b63cbb4e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a1e861c5238d5c4624176c31d6f322.exe
Size

111KB
MD5

02a1e861c5238d5c4624176c31d6f322
SHA1

0885a0ddd8218842e51bb564ac9947909b65f581
SHA256

009aaeb9c5404de83c8470d233da549bf1fe2849a2262629eac58110b63cbb4e
SHA512

6dbf55472b44d00c48551664694971a2b100993fb2b842b85e32ce7c52afd23e1d34c0251c70a98a716448ca8767412098b1831eab5e5932a2a3fdb6e5f0d3fa
SSDEEP

768:sduwfCc9lNEylN+FXOZzP34DGltCJWx+7AppL4zG4dslM8lP+wgG0SXdkUr9AeXi:sdFZDl6I7lN+aLHM8WSXjyj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vakeg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	02a1e861c5238d5c4624176c31d6f322.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	vakeg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vakeg = "C:\\Users\\Admin\\vakeg.exe"	vakeg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2144	2596	WerFault.exe	14

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe
4448	vakeg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2596	02a1e861c5238d5c4624176c31d6f322.exe
4448	vakeg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 4448	2596	02a1e861c5238d5c4624176c31d6f322.exe	74
PID 2596 wrote to memory of 4448	2596	02a1e861c5238d5c4624176c31d6f322.exe	74
PID 2596 wrote to memory of 4448	2596	02a1e861c5238d5c4624176c31d6f322.exe	74
PID 4448 wrote to memory of 2596	4448	vakeg.exe	14
PID 4448 wrote to memory of 2596	4448	vakeg.exe	14
PID 4448 wrote to memory of 2596	4448	vakeg.exe	14
PID 4448 wrote to memory of 2596	4448	vakeg.exe	14

C:\Users\Admin\AppData\Local\Temp\02a1e861c5238d5c4624176c31d6f322.exe
"C:\Users\Admin\AppData\Local\Temp\02a1e861c5238d5c4624176c31d6f322.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\vakeg.exe
  "C:\Users\Admin\vakeg.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 1000
  2⤵
  - Program crash
  PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2596 -ip 2596
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vakeg.exe

Filesize
111KB

MD5
2c3605e2fdb6caa7502f0a4bfd7de780

SHA1
fedfe97ccc30dba543f10270c35b6ada071eb51f

SHA256
ec0eb6b64aced35391303a99cf2bbff4bb83fb0f7c960f89f72f62530ae4246e

SHA512
22e37044c6cf19b97880e8c9854e51562eafc3f447b0878fef9edcbd1b648ed2a5b9dbb9760cf9227e90de9980d215d393a109078c26336fcc665a29433e9523

Download Submit