Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 04:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
52722ef3b61a589bfd5c1cb656326f28.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
52722ef3b61a589bfd5c1cb656326f28.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
52722ef3b61a589bfd5c1cb656326f28.exe
-
Size
296KB
-
MD5
52722ef3b61a589bfd5c1cb656326f28
-
SHA1
726b4fce9cb2ac3ed182a10087a6609e36e1573a
-
SHA256
6dd6637c3d4f23f97317d7ebb0aba37d6ebaa211e34b0dd35af2350328c8d34f
-
SHA512
e3f6b9d1f63ad73c91e5243ce89be5e0dbd2a5a9431942beb0866073b0c290dfb0f402c13964db0427744b64e9ca49dd1c9901e7e09f54da1117357c7602fb6a
-
SSDEEP
6144:IzMlxFRBhqb7IT4pO6JK/fObT/bGiWtBcMf1YUQiCgfAJDq2ijxLzOwkz:WcxFRQ7IT4pO6JK/fObT/bGiWt/YUQi4
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 52722ef3b61a589bfd5c1cb656326f28.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mauxib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 52722ef3b61a589bfd5c1cb656326f28.exe -
Executes dropped EXE 1 IoCs
pid Process 4276 mauxib.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /H" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /K" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /n" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /t" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /R" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /f" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /P" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /v" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /p" 52722ef3b61a589bfd5c1cb656326f28.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /k" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /i" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /c" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /M" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /l" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /Y" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /T" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /m" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /w" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /x" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /o" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /s" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /G" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /z" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /D" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /U" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /e" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /C" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /I" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /q" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /S" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /a" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /V" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /p" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /r" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /O" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /F" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /b" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /j" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /J" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /E" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /X" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /g" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /d" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /A" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /W" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /B" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /Q" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /L" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /Z" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /h" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /y" mauxib.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mauxib = "C:\\Users\\Admin\\mauxib.exe /u" mauxib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2072 52722ef3b61a589bfd5c1cb656326f28.exe 2072 52722ef3b61a589bfd5c1cb656326f28.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe 4276 mauxib.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2072 52722ef3b61a589bfd5c1cb656326f28.exe 4276 mauxib.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2072 wrote to memory of 4276 2072 52722ef3b61a589bfd5c1cb656326f28.exe 94 PID 2072 wrote to memory of 4276 2072 52722ef3b61a589bfd5c1cb656326f28.exe 94 PID 2072 wrote to memory of 4276 2072 52722ef3b61a589bfd5c1cb656326f28.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\52722ef3b61a589bfd5c1cb656326f28.exe"C:\Users\Admin\AppData\Local\Temp\52722ef3b61a589bfd5c1cb656326f28.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\mauxib.exe"C:\Users\Admin\mauxib.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD5b19dc81c361cd2c19d016cf51f334f15
SHA1fa5c80c966040dba20fae50ba83947feb0c8e583
SHA2566d69d9e994dd1dd688a59255c1ce7c33d909a649d7085b7c23e27bbc03a7a257
SHA5121ab1aa283a44ec0a791bb9af74bb18938414447645d6dc1d709ab6e463d0de00f274d15ec7fe7c3fe5d52ffee851a1f910707995a6b61942e96bd9fc463dc823
-
Filesize
92KB
MD52efef165b467c9015cae592d40add2e7
SHA1e37b7dd601343088d8e3dcb716a4eab14b50c3e1
SHA25625a50e8809ed66b3da68e0a649689ec74c1e45bb80f0afa67be35678e73ee954
SHA51299fbfef2df6cae82c332773d8758966f9fa4c2641c3c0efe89f53a65812b12962a9ca4713ea8ce71fee68e965e61d2fab2901f2ce96ca5c0b07909eee2c1451d