0da7f3696f6be0d279ea7b27a096d411bb24624c6bdfff94cba505c96be9715e

Analysis

max time kernel
169s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1414899745a51fbc4a944b94d98d788b.exe
Size

244KB
MD5

1414899745a51fbc4a944b94d98d788b
SHA1

6423e1703f3bc46d480b1422be3c5fb1c82cc683
SHA256

0da7f3696f6be0d279ea7b27a096d411bb24624c6bdfff94cba505c96be9715e
SHA512

c9099cb72264ec1b30e3810797013c9e47b1b9df952fc30137d2b39d192ca80277a8d7a0f085ec5dd51e32dff649de0233fe3bd4b0f745de67538794bcdda0fb
SSDEEP

6144:J5Es5EzPLrs7CZIQtVpoY85spRMWLwDE3C5gn9OD4u9Xb:J5EsALiC2QtVpoU3dyL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cuuquap.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	1414899745a51fbc4a944b94d98d788b.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	cuuquap.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /n"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /X"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /K"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /P"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /j"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /G"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /g"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /E"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /I"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /M"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /Y"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /m"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /h"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /A"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /l"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /Q"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /r"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /U"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /N"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /o"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /T"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /s"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /q"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /p"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /t"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /e"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /d"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /L"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /B"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /C"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /R"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /V"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /a"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /x"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /w"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /O"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /i"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /J"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /c"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /D"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /F"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /k"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /Z"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /z"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /S"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /v"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /y"	cuuquap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cuuquap = "C:\\Users\\Admin\\cuuquap.exe /u"	cuuquap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe
2928	cuuquap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3532	1414899745a51fbc4a944b94d98d788b.exe
2928	cuuquap.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2928	3532	1414899745a51fbc4a944b94d98d788b.exe	97
PID 3532 wrote to memory of 2928	3532	1414899745a51fbc4a944b94d98d788b.exe	97
PID 3532 wrote to memory of 2928	3532	1414899745a51fbc4a944b94d98d788b.exe	97

C:\Users\Admin\AppData\Local\Temp\1414899745a51fbc4a944b94d98d788b.exe
"C:\Users\Admin\AppData\Local\Temp\1414899745a51fbc4a944b94d98d788b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Users\Admin\cuuquap.exe
  "C:\Users\Admin\cuuquap.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cuuquap.exe

Filesize
244KB

MD5
c5a47ed297c2d3dbdf69c5eda489c715

SHA1
f146fdc56311412c2fd6f8145b34d53b99c54099

SHA256
d2d6ac3c4d99fe6d8d4208af09440980b58309fd1b5cb1d0177d5efe8e9373fb

SHA512
5ab82f52efdba04dca128dc8f1fb876b3e8fc06fabea128df196621a4e46b438c291c68948263d1ebc9a73f7ecf4793fe006f72114cfd95fa729e465709ca3f6

Download Submit