Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 03:28
Static task
static1
Behavioral task
behavioral1
Sample
26607182708f0d40b90568727e4def26.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
26607182708f0d40b90568727e4def26.exe
Resource
win10v2004-20231215-en
General
-
Target
26607182708f0d40b90568727e4def26.exe
-
Size
240KB
-
MD5
26607182708f0d40b90568727e4def26
-
SHA1
2f28d204ed97eb11aef2ca6bf6413892f26f6d49
-
SHA256
19c149d633702c96a7154c2d175c5af4b0934d87c43aeb6fde15159979e75589
-
SHA512
1e0340bba627aee9ddd2004c692908290b4b98b6069d28426c4919cc667611d8b267a97787e7bab00c895d46fb55b4325eb628d55191b1788fd4ed5dcf335319
-
SSDEEP
6144:ZU343dwqsNwemAB0EqxF6snji81RUinKchhyNSQ:IidQQJs0
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 26607182708f0d40b90568727e4def26.exe Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vaaoka.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 26607182708f0d40b90568727e4def26.exe -
Executes dropped EXE 1 IoCs
pid Process 2520 vaaoka.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /o" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /m" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /z" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /k" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /f" 26607182708f0d40b90568727e4def26.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /f" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /a" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /n" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /b" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /u" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /q" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /h" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /y" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /c" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /x" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /j" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /s" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /l" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /i" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /g" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /e" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /t" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /p" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /w" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /r" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /v" vaaoka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vaaoka = "C:\\Users\\Admin\\vaaoka.exe /d" vaaoka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2984 26607182708f0d40b90568727e4def26.exe 2984 26607182708f0d40b90568727e4def26.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe 2520 vaaoka.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 26607182708f0d40b90568727e4def26.exe 2520 vaaoka.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2520 2984 26607182708f0d40b90568727e4def26.exe 94 PID 2984 wrote to memory of 2520 2984 26607182708f0d40b90568727e4def26.exe 94 PID 2984 wrote to memory of 2520 2984 26607182708f0d40b90568727e4def26.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\26607182708f0d40b90568727e4def26.exe"C:\Users\Admin\AppData\Local\Temp\26607182708f0d40b90568727e4def26.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\vaaoka.exe"C:\Users\Admin\vaaoka.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD54b2c37e4693e9e67a35ed3f383f67046
SHA15a613a564dfc3b1d4b36a10367175070f11e9977
SHA256aa697b15805747b5c247bca219535015ae1acaf8b32d3349d70b93be5f337685
SHA512e89b01d4d123902e8720e7dad0178192829b896adfa1f3935e561e1b4d2db3af6c4fdadfbdef583e2ad491795279a4d445aef18d5492f0ae00aebc47ced2e064