Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 13:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
237174cd4363f3d3355102e1da29126a.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
237174cd4363f3d3355102e1da29126a.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
237174cd4363f3d3355102e1da29126a.exe
-
Size
108KB
-
MD5
237174cd4363f3d3355102e1da29126a
-
SHA1
2162f6a590721c3838a472fce27d09bbaab4a7a8
-
SHA256
38fdebcb05a196d604ffd3646a3336585ab90d7e0d8b20bab5c12f318ab694a3
-
SHA512
5a5c3c54b0823eb508ce6f55ee9ca4adf58be504da3aeedc17fcf432a265e0d87f2b1c1c61600ba9d145315604aec8fb599018b57823574c5885094ee9002a1d
-
SSDEEP
1536:MBPKiB6oQ7Lh5+sXmNt0ttJPXLq0zTrkC:0PmoIeZt0XTzToC
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 237174cd4363f3d3355102e1da29126a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raeeluz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 237174cd4363f3d3355102e1da29126a.exe -
Executes dropped EXE 1 IoCs
pid Process 4592 raeeluz.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /t" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /x" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /f" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /z" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /n" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /a" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /y" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /r" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /l" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /w" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /p" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /i" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /p" 237174cd4363f3d3355102e1da29126a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /b" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /h" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /m" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /c" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /o" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /k" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /s" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /u" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /j" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /q" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /g" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /e" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /d" raeeluz.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raeeluz = "C:\\Users\\Admin\\raeeluz.exe /v" raeeluz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4248 237174cd4363f3d3355102e1da29126a.exe 4248 237174cd4363f3d3355102e1da29126a.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe 4592 raeeluz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4248 237174cd4363f3d3355102e1da29126a.exe 4592 raeeluz.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4592 4248 237174cd4363f3d3355102e1da29126a.exe 91 PID 4248 wrote to memory of 4592 4248 237174cd4363f3d3355102e1da29126a.exe 91 PID 4248 wrote to memory of 4592 4248 237174cd4363f3d3355102e1da29126a.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\237174cd4363f3d3355102e1da29126a.exe"C:\Users\Admin\AppData\Local\Temp\237174cd4363f3d3355102e1da29126a.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\raeeluz.exe"C:\Users\Admin\raeeluz.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5e27cdb22d7611e4cecc94838e5a15aca
SHA15cbce31725dbb32363becf7fdb7d660393441050
SHA256328e58f6fab5ace872ec3ab5b4754ee0f82d4845b6df9a80a615ebec66be4ed9
SHA5129b5a628c4d015d4b70157bdae908f0bc43b188b84a5399e623629a55f18c5535b6222bf7c85c1856dabef8ada595f8a36c99427f33f70f2e555110531bbb3414