4a11fd04dc004bf1c90d9d04f6310a37fe3f0b0465e43465aa41f2007e975efa

Analysis

max time kernel
161s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10757f2e57df80122ab3e8b71d87dd63.exe
Size

192KB
MD5

10757f2e57df80122ab3e8b71d87dd63
SHA1

9987b14d6837becacfe0e308e2b43407249f9721
SHA256

4a11fd04dc004bf1c90d9d04f6310a37fe3f0b0465e43465aa41f2007e975efa
SHA512

3c305a6c1377267ccec218757cd7392256b28fde0906b7c37f2e865c8d0479e4e7e3ce994f8203eca89f0f2515f93e94c155d9ff420abc1599cbd730dd10e3f3
SSDEEP

3072:4zLLIxdvKuGr7t5qCRFSoRQg/yqs9Kf5L/SV5qK:giVCRFSoRQjC5L/hK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	10757f2e57df80122ab3e8b71d87dd63.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jeuufa.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	jeuufa.exe

Loads dropped DLL 2 IoCs

pid	Process
3060	10757f2e57df80122ab3e8b71d87dd63.exe
3060	10757f2e57df80122ab3e8b71d87dd63.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /o"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /k"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /f"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /h"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /r"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /v"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /w"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /a"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /d"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /n"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /y"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /p"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /x"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /i"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /s"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /m"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /t"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /l"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /c"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /z"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /e"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /u"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /q"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /j"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /b"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /g"	jeuufa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\jeuufa = "C:\\Users\\Admin\\jeuufa.exe /r"	10757f2e57df80122ab3e8b71d87dd63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3060	10757f2e57df80122ab3e8b71d87dd63.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe
2876	jeuufa.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3060	10757f2e57df80122ab3e8b71d87dd63.exe
2876	jeuufa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2876	3060	10757f2e57df80122ab3e8b71d87dd63.exe	28
PID 3060 wrote to memory of 2876	3060	10757f2e57df80122ab3e8b71d87dd63.exe	28
PID 3060 wrote to memory of 2876	3060	10757f2e57df80122ab3e8b71d87dd63.exe	28
PID 3060 wrote to memory of 2876	3060	10757f2e57df80122ab3e8b71d87dd63.exe	28

C:\Users\Admin\AppData\Local\Temp\10757f2e57df80122ab3e8b71d87dd63.exe
"C:\Users\Admin\AppData\Local\Temp\10757f2e57df80122ab3e8b71d87dd63.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\jeuufa.exe
  "C:\Users\Admin\jeuufa.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jeuufa.exe

Filesize
57KB

MD5
6a601a321154f010b5ceea55c0fd22a9

SHA1
53109fdf8c2cf3884d71176cb2b35211efe907b3

SHA256
a7ed9fe8b46fa7152b8dd253a178ec471ae4b4792a25470c58373b992e7611fb

SHA512
b99397e59b1aa96e8af1f6a67f236ca513eea40804840e90b3f7bfbd7e3929a923413b6e898d93166dce4636d6683218358f9e07a94aab1c5e9b07be905fb7c7

Download Submit
C:\Users\Admin\jeuufa.exe

Filesize
192KB

MD5
10757f2e57df80122ab3e8b71d87dd63

SHA1
9987b14d6837becacfe0e308e2b43407249f9721

SHA256
4a11fd04dc004bf1c90d9d04f6310a37fe3f0b0465e43465aa41f2007e975efa

SHA512
3c305a6c1377267ccec218757cd7392256b28fde0906b7c37f2e865c8d0479e4e7e3ce994f8203eca89f0f2515f93e94c155d9ff420abc1599cbd730dd10e3f3

Download Submit
C:\Users\Admin\jeuufa.exe

Filesize
110KB

MD5
baf61f97da86986c30b778de2a8286d6

SHA1
c2c002b90743878b89ee2e3dfbdcb4c83b952b7f

SHA256
77edf264363a8d7ebf53129390b4eefd727dfff9202adf5d1e6eac93e457a801

SHA512
36109c120855e6742cb780d5d975ec4b172610bae61dad1a750f8df56624e098547cd08599a77e25270f5e228d8fb80b991a9ccf8f19e786025578c2436b2456

Download Submit
\Users\Admin\jeuufa.exe

Filesize
54KB

MD5
9e9cab023f29e9139b5489f3ddd070bf

SHA1
6f752a521d6d8c3d2183ee356bc5c45777b5f17d

SHA256
36d8771baac696c8587750587931753e44d0285edf24cb6e65b02f9790d8378b

SHA512
024fbd139569e3f9ad7bbc240b0bb56e779e914da982bb9d053b556c370bd54ba79ea1840e21df6d73ee198867b78886fc35bb847e17681aae990d5465f0b631

Download Submit
\Users\Admin\jeuufa.exe

Filesize
110KB

MD5
3594d647ada722ad823c6df99a456af4

SHA1
136a8c69ed378032308030f7135cc6c4374cb161

SHA256
fc3909b686df87313718d2c3d45c168464484c348fbfc990fdba935288e95235

SHA512
3b26dda35121b7789a4f81e880d77a25255b8f7e1f898abe75ccec14fb156a94bf779a41f86ce38a0135f291a3e1ddbad62bb65a1f7c1df400da6ab87a9a8210

Download Submit