02e7b50f01aeb7753ed04ef92daf0a52153e862a3d82760ff00830659fd9cf90

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a601d0f3c9489f0fcafb2e745ee3687.exe
Size

84KB
MD5

0a601d0f3c9489f0fcafb2e745ee3687
SHA1

7338d3ff773cfc7a49d73dabb79515c4dd61942a
SHA256

02e7b50f01aeb7753ed04ef92daf0a52153e862a3d82760ff00830659fd9cf90
SHA512

586a0042670070b8726b548564a94af85f4729a95be99582b39d6431e5016da13f3a3c2b2e4eff689118c7c9e1b4001c8fae55553c2db4ff21218c8d670cedeb
SSDEEP

768:p0Oglemuec4OdJNUC1x2avPPpykILkGuIBLP3nxD7TONoap55VSFJ0T72mZCcLX:pPglnZOdUCJwVuYipwFJ0T72mocT

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	reumeog.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0a601d0f3c9489f0fcafb2e745ee3687.exe

Executes dropped EXE 1 IoCs

pid	Process
2704	reumeog.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	0a601d0f3c9489f0fcafb2e745ee3687.exe
2016	0a601d0f3c9489f0fcafb2e745ee3687.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /s"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /o"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /n"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /i"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /m"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /l"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /f"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /k"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /p"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /y"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /a"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /x"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /e"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /j"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /u"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /q"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /c"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /m"	0a601d0f3c9489f0fcafb2e745ee3687.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /d"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /g"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /v"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /h"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /r"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /t"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /z"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /w"	reumeog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\reumeog = "C:\\Users\\Admin\\reumeog.exe /b"	reumeog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	0a601d0f3c9489f0fcafb2e745ee3687.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe
2704	reumeog.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2016	0a601d0f3c9489f0fcafb2e745ee3687.exe
2704	reumeog.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2704	2016	0a601d0f3c9489f0fcafb2e745ee3687.exe	28
PID 2016 wrote to memory of 2704	2016	0a601d0f3c9489f0fcafb2e745ee3687.exe	28
PID 2016 wrote to memory of 2704	2016	0a601d0f3c9489f0fcafb2e745ee3687.exe	28
PID 2016 wrote to memory of 2704	2016	0a601d0f3c9489f0fcafb2e745ee3687.exe	28

C:\Users\Admin\AppData\Local\Temp\0a601d0f3c9489f0fcafb2e745ee3687.exe
"C:\Users\Admin\AppData\Local\Temp\0a601d0f3c9489f0fcafb2e745ee3687.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\reumeog.exe
  "C:\Users\Admin\reumeog.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\reumeog.exe

Filesize
44KB

MD5
1073b6adba640027497b14f83db2046f

SHA1
9b59e9f675979f114982d35f84afe86c967d1d52

SHA256
75dab8490fe04abf060352d5d611c4af6b4a5800d49e0af214e172d37f251b63

SHA512
94d47d7876d68a7dea620be21e71435713ed49f3e354f9b9d36f93be78ed34e9e1b5696360b4de16131efde52264c61952a7c9bf0c9261c0fa8c943448707d9c

Download Submit
C:\Users\Admin\reumeog.exe

Filesize
21KB

MD5
2f29c77cea5b4a18fe63ed64faa9d037

SHA1
63eddbb94c2f150ae246971b280bb8dfd2aecc16

SHA256
52689fc0b10b8d4dd477d1e16e142784c1f312c7ca20c042ea0a97eef7509c7d

SHA512
2565216e5410d343cb61c97b052c1c1619349f5240db1cd363c681b99ed2a276fe7f22e7abb7eb0514f30d8289e8d3caf0d0c25550cc488c003fc73e36602e37

Download Submit
C:\Users\Admin\reumeog.exe

Filesize
45KB

MD5
03a5f306d67e0c4a3a565802d33fed15

SHA1
9bc86851dfa47a3b35821b89e7bf886aa263cc6b

SHA256
9f2f9639ffe878abf9a79bdb49f03d6dfaa1beceff146787277f43fdb1a5accc

SHA512
1a2269c02e06fd54afeaaecc3250a7199f28161e6a6603763a3b7767cfcd91e14f1a4b3a0aedc9d087dc7a794b7720c9d340ce12202fca3c98c9acf090c35cb2

Download Submit
\Users\Admin\reumeog.exe

Filesize
76KB

MD5
1c73333b3094577968e3d37cc5d72208

SHA1
ba3a99fd686cd27610b5008dc614fcba4467e7ad

SHA256
15bea50c9188f10546c1ff6be27be1d77d17f2149a12b3ca4c4d9347b2a6abdb

SHA512
ad852c996c8793dc5626ccf28019e50fa6b13db9d0a94f15befcb1e001a5bb1eddec7361e1c3f183725fc708d0264c3f3aff4e0dfdf68b652b8eeac3d3b6335b

Download Submit
\Users\Admin\reumeog.exe

Filesize
74KB

MD5
b5975ad146cb305573fa64c465093e17

SHA1
2a7fa860050d43af5620641d7ed0f3adcbc0be9b

SHA256
03168e2139efde0ee566895a1898e74fee24dff3d171e1f439960ff55adcd256

SHA512
466133a77c942cbc0383d150fae8375b6981a1af57d10ab3cdb8df9e9fe561aba3dd20a201e6eff33c0257dbf6db242468dadfd25268a858c2e1b8979f43ce4d

Download Submit