798fdc27f452e1dc38f27659660455dc8b4d8d98d8e5b26b24a10af530fce11e

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

086b6c3d60d45a58bdbcfd616b48f96b.exe
Size

268KB
MD5

086b6c3d60d45a58bdbcfd616b48f96b
SHA1

9a34f3bde41e7b15b933482a4ec0da9f2b00a4b2
SHA256

798fdc27f452e1dc38f27659660455dc8b4d8d98d8e5b26b24a10af530fce11e
SHA512

b124fb50411f357818635e93e02ca8d4fc4aefaa3c15c67df94f659b621cd18a9f036e7f0e4e50de40885057a99d6ccc522ea34586f988c919fb410b26f69aac
SSDEEP

3072:Kd8GXZb6+m/6+mD6+m26+mM6+mx6+mh6+me6+m96+mg6+mV6+mm6+mt6+m16+mvy:o8GX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceueze.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	ceueze.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	086b6c3d60d45a58bdbcfd616b48f96b.exe
2224	086b6c3d60d45a58bdbcfd616b48f96b.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /z"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /d"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /F"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /j"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /W"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /T"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /r"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /Y"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /w"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /X"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /e"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /u"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /i"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /A"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /m"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /o"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /Z"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /v"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /h"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /M"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /D"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /E"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /B"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /s"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /K"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /Q"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /l"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /g"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /c"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /G"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /J"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /N"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /L"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /b"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /C"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /a"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /O"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /U"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /f"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /R"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /q"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /V"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /k"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /P"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /y"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /I"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /H"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /n"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /S"	ceueze.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceueze = "C:\\Users\\Admin\\ceueze.exe /p"	ceueze.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe
2768	ceueze.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2224	086b6c3d60d45a58bdbcfd616b48f96b.exe
2768	ceueze.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2768	2224	086b6c3d60d45a58bdbcfd616b48f96b.exe	28
PID 2224 wrote to memory of 2768	2224	086b6c3d60d45a58bdbcfd616b48f96b.exe	28
PID 2224 wrote to memory of 2768	2224	086b6c3d60d45a58bdbcfd616b48f96b.exe	28
PID 2224 wrote to memory of 2768	2224	086b6c3d60d45a58bdbcfd616b48f96b.exe	28
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27
PID 2768 wrote to memory of 2224	2768	ceueze.exe	27

C:\Users\Admin\AppData\Local\Temp\086b6c3d60d45a58bdbcfd616b48f96b.exe
"C:\Users\Admin\AppData\Local\Temp\086b6c3d60d45a58bdbcfd616b48f96b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\ceueze.exe
  "C:\Users\Admin\ceueze.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\ceueze.exe

Filesize
268KB

MD5
da38fcf51c86797b04ea3d9837d4a6ad

SHA1
bf37038476c0f1500d3dabb575b5f40c80377679

SHA256
8e9752fda915cc7b1498919533745877625659ecffa048517bc50141e5c9d03e

SHA512
be24398772c61fb58f2e19520122a081471fb7a54256cecb64dc9ba4510b1406f118f56c3f62e13085c2af46c56b2d1a6427878db63f901b4fd12095c8c96ace

Download Submit
\Users\Admin\ceueze.exe

Filesize
246KB

MD5
1c1c30ba0e708b39a96a6acfc160f52b

SHA1
a4ade18cd8a859598250502ce7da424096103da1

SHA256
65cd8d069222e43a813b38873dd77aa6bf575f95a5353a162a9e343d0d5d6c80

SHA512
59d5f33a791fc2d757f54b839642a04570a93592f80757bde604250f20688c11fc87e5da53104ad376124b4ba792029cfb716f87e3cb187aea86744008377389

Download Submit