9842285a693ace52b68524bf03b31df13483e969085db88e79b5eceaa9b69fbe

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559ffeb585d72a19a71befab8fd72ad3.exe
Size

160KB
MD5

559ffeb585d72a19a71befab8fd72ad3
SHA1

6eab325d0f34a7f8b7b4dcc37546cf193e0d6713
SHA256

9842285a693ace52b68524bf03b31df13483e969085db88e79b5eceaa9b69fbe
SHA512

b6546d160ccf430d64ed983474805b683afed23fd304e192796537c9a0acd50e97ef1e9a213de87e7ed6e309827073992085fe8de703ad46770d5ded9cea8c49
SSDEEP

3072:SGCbZSukOY8hrJFVNM/N/5sfqDfwqfEei:lork6hrJ3NON/5sGoei

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	559ffeb585d72a19a71befab8fd72ad3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	touiza.exe

Executes dropped EXE 1 IoCs

pid	Process
2188	touiza.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	559ffeb585d72a19a71befab8fd72ad3.exe
1052	559ffeb585d72a19a71befab8fd72ad3.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /U"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /E"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /i"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /Q"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /j"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /V"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /Q"	559ffeb585d72a19a71befab8fd72ad3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /I"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /v"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /l"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /H"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /R"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /M"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /A"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /Z"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /K"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /w"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /r"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /k"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /T"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /P"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /n"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /p"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /a"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /e"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /O"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /m"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /d"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /L"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /u"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /z"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /g"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /X"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /t"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /S"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /q"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /h"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /b"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /c"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /C"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /J"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /o"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /D"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /F"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /W"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /G"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /Y"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /B"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /N"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /x"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /f"	touiza.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\touiza = "C:\\Users\\Admin\\touiza.exe /y"	touiza.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1052	559ffeb585d72a19a71befab8fd72ad3.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe
2188	touiza.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1052	559ffeb585d72a19a71befab8fd72ad3.exe
2188	touiza.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2188	1052	559ffeb585d72a19a71befab8fd72ad3.exe	28
PID 1052 wrote to memory of 2188	1052	559ffeb585d72a19a71befab8fd72ad3.exe	28
PID 1052 wrote to memory of 2188	1052	559ffeb585d72a19a71befab8fd72ad3.exe	28
PID 1052 wrote to memory of 2188	1052	559ffeb585d72a19a71befab8fd72ad3.exe	28

C:\Users\Admin\AppData\Local\Temp\559ffeb585d72a19a71befab8fd72ad3.exe
"C:\Users\Admin\AppData\Local\Temp\559ffeb585d72a19a71befab8fd72ad3.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\touiza.exe
  "C:\Users\Admin\touiza.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\touiza.exe

Filesize
92KB

MD5
3e3143b0ed2e47ecdc0a14b30f576219

SHA1
a486f2d4429f8c497780c68c75573118b699d537

SHA256
d0c3afa02a28f35e600de86f8bacc763d8a7c3a5b2135c2b842612fe99e06d9e

SHA512
4e0bcf7b7ba0a75f239a8296f61bcdaa4dece91e238ae286053b79e2a47a243ef34288c3d99462d4606ee2650b6019e2f20b384a8bfb4e7bcf79bad8570796c0

Download Submit
C:\Users\Admin\touiza.exe

Filesize
160KB

MD5
24052566c4ca60d32daf791fd233a4aa

SHA1
8149cfc62f08d14bcc6a43f93a4b0b680ad83946

SHA256
a89a75c26a0dac3b1b1903d12c16c8ea1eba4c38e91be5afd800d22212855ad4

SHA512
e71e6314bd33377db55575f2a26e63fc0093931d93b238aa85a5a2c04ca9ea90f96931e4534a2f54607df7a476c3f5c84b5bb48271eeb7fcebea2a225a88df56

Download Submit
\Users\Admin\touiza.exe

Filesize
96KB

MD5
a9606328272de54942b6439c624a6804

SHA1
1575771853d6eef6d14a3eb2f6bc3075ae58849a

SHA256
00bcbb356543029753a7a159b12f24183666456b8963ddc5a4150f79ab79deb0

SHA512
636abdd9441199e2a0dfdd2bcadfb2f0e5abb65262baccffe59d08176977aa27e1dcd1a379296efcf238c0a27b4233d85557650fac09382e4b5621cfc8c4650f

Download Submit
memory/1052-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-15-0x00000000033F0000-0x000000000341F000-memory.dmp

Filesize
188KB

Download
memory/1052-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-20-0x00000000033F0000-0x000000000341F000-memory.dmp

Filesize
188KB

Download
memory/1052-21-0x00000000033F0000-0x000000000341F000-memory.dmp

Filesize
188KB

Download
memory/2188-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download