28c54bf3f92960fcaac41ef5b6a124bf59b61d6345bbd7f688b248653a566d1e

General

Target

0cb63e215731038dc64c0af8f4d12b70.exe
Size

328KB
MD5

0cb63e215731038dc64c0af8f4d12b70
SHA1

6f037a75fa25877f928fad3dbdb21dc967e81dd0
SHA256

28c54bf3f92960fcaac41ef5b6a124bf59b61d6345bbd7f688b248653a566d1e
SHA512

314032aaac20b75d5d3b28b3a55a7811be816888bf5575b6fcaff4932bd2c88ccc424338b98233b12176ee441b9df05b3c4f2ef0fac6277d357c5b482317a267
SSDEEP

3072:0aS1jxKgNx+uD7mEVSuekhGkYrQRVZq3eFo4ejLnlQISQLpyhZu6qyKT4pS04/FT:knNxd2WGk1Y3nmQcuyKT4wLOdud

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0cb63e215731038dc64c0af8f4d12b70.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vijuq.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	vijuq.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	0cb63e215731038dc64c0af8f4d12b70.exe
2140	0cb63e215731038dc64c0af8f4d12b70.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\vijuq = "C:\\Users\\Admin\\vijuq.exe /t"	vijuq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\vijuq = "C:\\Users\\Admin\\vijuq.exe /b"	0cb63e215731038dc64c0af8f4d12b70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	0cb63e215731038dc64c0af8f4d12b70.exe
2136	vijuq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2140	0cb63e215731038dc64c0af8f4d12b70.exe
2136	vijuq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2136	2140	0cb63e215731038dc64c0af8f4d12b70.exe	28
PID 2140 wrote to memory of 2136	2140	0cb63e215731038dc64c0af8f4d12b70.exe	28
PID 2140 wrote to memory of 2136	2140	0cb63e215731038dc64c0af8f4d12b70.exe	28
PID 2140 wrote to memory of 2136	2140	0cb63e215731038dc64c0af8f4d12b70.exe	28

C:\Users\Admin\AppData\Local\Temp\0cb63e215731038dc64c0af8f4d12b70.exe
"C:\Users\Admin\AppData\Local\Temp\0cb63e215731038dc64c0af8f4d12b70.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\vijuq.exe
  "C:\Users\Admin\vijuq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\vijuq.exe

Filesize
25KB

MD5
b6da86b42f7a207f42b0ce84ba3b9f8e

SHA1
14aee2c2a1779f406c98d4dfc17d3216bd3ab695

SHA256
76730508b52b63e1c0ad41b1a21e9514fcb88abfbc5954107a6f27b106aa14b9

SHA512
14b110ba252b7e2e286b6d6b4942df6e06f0715342179279ebb2ba082168fb79e5fc026c86fd76fac5c0fa5a1575d2ce7d0318e883bf2c753ae37557682f1e04

Download Submit
C:\Users\Admin\vijuq.exe

Filesize
25KB

MD5
55bf9f6c613bf05d23419b95536cb938

SHA1
5295ef031ec2df1c4b6077f88ec423532b414ebf

SHA256
93f7db145a6ad5969b3cb4a7787e531a7ae15735afbe94a7affa977c5f76515f

SHA512
0288ffe53316e92c086f59ee7fe14b3e8df91cc4eed7278fa476cd74f288c3fc419d4e2aa8c4f74e7ec1efba7141645f2bfdd55c1b4c2d52b38579e93085d74b

Download Submit
C:\Users\Admin\vijuq.exe

Filesize
9KB

MD5
ac5a057a1ce4812b97b8038c0cc02b89

SHA1
d849c9e5e281e1211b38eec5dc2933e01cc25846

SHA256
8a041000894ef60ddf3e600b08f2915eb0610c5081d6021c0a244d73806f36dd

SHA512
e1f2789387c4df0d0572b46d2ed19acb175015427efff1e3f70bfcb9914317a225054abe7dd07b331d18af78a10a69d63b5f414e1af019e9c9e1aff5637b857b

Download Submit
\Users\Admin\vijuq.exe

Filesize
40KB

MD5
b9f1298d0591a81220e1d66d055acc65

SHA1
1733d38ae9c5dc9c2976622946de859e66669f9c

SHA256
1f435788d682990c205dcb8b09c2bf33381de8af873194f55c1ce43fd2960b25

SHA512
5a01edce46008e93010402d9c100bde5d8eabc110d2820bdf1e6f36ff3eb7e9652171ffdf9f2f2302742e49f033fcb024acd80f74ec53e42d3d725b24679b0aa

Download Submit
\Users\Admin\vijuq.exe

Filesize
1KB

MD5
194f77a9c12e6da50682dc4317b4c32f

SHA1
4a1fcb14f2111f2f2feaec586b3ab092b1f3e7eb

SHA256
f08e3dd2ef7dd958fd57711e5dd843f282f8c894c24f75915d4ca5236a8da6bf

SHA512
d5781a8499d655344a75d6fa6e17a54b2911c55cb376b3df48db227744419423d1439d3944e4693208d5a50b4c9bfee73aea11655a8e26efeb170b7fa7e653dd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads