4a352be73356af419b78463a95d2ca6cf4799c89ac92f87a581ee50bb08fb69c

Analysis

max time kernel
175s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2c83e6ce54abf1ffeca39c02ef6378.exe
Size

176KB
MD5

7b2c83e6ce54abf1ffeca39c02ef6378
SHA1

169bde615dd6b634a503a2ed5d9b75d656f1bda2
SHA256

4a352be73356af419b78463a95d2ca6cf4799c89ac92f87a581ee50bb08fb69c
SHA512

dbd4e112f1e9a99a54dd6e5ceea3a3003325f2cb0a7a1bea9c32b85e19f5bedaec584f83b151b5c14a84972bfa4cbaa7f5dc0405e3c48a47f2679704dd8f079c
SSDEEP

3072:6RlNSIcEGROnF5grgPmCXMNKiqMdMZZZZWMkIJOh:6g5tEMNIMdHYC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7b2c83e6ce54abf1ffeca39c02ef6378.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reasaez.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	7b2c83e6ce54abf1ffeca39c02ef6378.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	reasaez.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /g"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /d"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /j"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /n"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /y"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /w"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /c"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /q"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /h"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /b"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /p"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /t"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /z"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /s"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /a"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /j"	7b2c83e6ce54abf1ffeca39c02ef6378.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /x"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /k"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /e"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /m"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /v"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /u"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /l"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /o"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /i"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /r"	reasaez.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reasaez = "C:\\Users\\Admin\\reasaez.exe /f"	reasaez.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe
2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe
4516	reasaez.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe
4516	reasaez.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 4516	2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe	91
PID 2504 wrote to memory of 4516	2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe	91
PID 2504 wrote to memory of 4516	2504	7b2c83e6ce54abf1ffeca39c02ef6378.exe	91

C:\Users\Admin\AppData\Local\Temp\7b2c83e6ce54abf1ffeca39c02ef6378.exe
"C:\Users\Admin\AppData\Local\Temp\7b2c83e6ce54abf1ffeca39c02ef6378.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\reasaez.exe
  "C:\Users\Admin\reasaez.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\reasaez.exe

Filesize
176KB

MD5
0e89fa5414591435ff15222f4c19767c

SHA1
16a01a1fdb03783b06d125104a96d7f701d97c89

SHA256
66110cc8eefb2f8c63a03d2c3bf2229bd6d1c5eb07d842eeb18001ec7125195c

SHA512
b80a2eb01b2018b23265a5a59acb0536986ef6632d05d4db831aa191740518083dffa464ae0eb0dc613e64c5e959044b36a375fa769c9cbacb9de09a9c587bca

Download Submit
C:\Users\Admin\reasaez.exe

Filesize
31KB

MD5
fb726d36519e08445ff60ab352ca5a4f

SHA1
dbe3aae43b024e877b69e16de8b6f2e72a962aa8

SHA256
e8aa9072215027ad5035d7e9385f5ff2af7d6a3686128815b6c7e5c8c7d2faf5

SHA512
68ed5afb436a644c37f1aef1f76bed58864e797bc89a013996456bcbec9a6d2adf7f7c051284bee77dbd7052138cba4df28199d0eac8a2f7143f38a544d5713c

Download Submit
C:\Users\Admin\reasaez.exe

Filesize
81KB

MD5
ad6e6175939267da66d1d278236fff3f

SHA1
ff3012fb4131da9b71f0815d589e8328a65a8e0d

SHA256
c10e533b01691d8bd8842198c5728e0f79837bd8ff2b6a6f2679f9a4ab3597f7

SHA512
c3e45d5ef69c9bbc57108560fd02ecc45b713c40a64183599738947e7cceb835740e1769c3931dc2be686362754840a54e308fd12b81b6e22b5b24c83aa84a5d

Download Submit