Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 10:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c5b372aa33ebe20daab985078fe9ced.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c5b372aa33ebe20daab985078fe9ced.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3c5b372aa33ebe20daab985078fe9ced.exe
-
Size
244KB
-
MD5
3c5b372aa33ebe20daab985078fe9ced
-
SHA1
9da97e819f565b97c38d2736de7354bb97454e89
-
SHA256
13d4a5a446c2804b756b9971fa915313dfcf6289950e271699c147620e3546e4
-
SHA512
316543932c75a047552b5aabb6bebc3a7e5c43f119af60d77955bc2152ae0721c00a35d290e30fc81c4cba4e2a34ba9e559ed49e6729557123ffab8177d7cb3b
-
SSDEEP
6144:gDa96e88OwUdQsgeb06QBUQ7+H6kKCnfXfRC:gm9EIUQDCn
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vuogul.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 3c5b372aa33ebe20daab985078fe9ced.exe -
Executes dropped EXE 1 IoCs
pid Process 2732 vuogul.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /k" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /t" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /j" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /c" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /u" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /w" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /L" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /A" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /N" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /O" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /T" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /D" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /q" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /C" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /i" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /V" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /R" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /S" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /F" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /a" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /U" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /n" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /f" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /b" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /y" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /o" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /p" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /l" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /H" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /W" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /I" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /z" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /G" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /r" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /B" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /P" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /M" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /E" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /Q" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /Y" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /d" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /m" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /e" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /x" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /X" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /h" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /s" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /v" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /J" vuogul.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vuogul = "C:\\Users\\Admin\\vuogul.exe /g" vuogul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe 2732 vuogul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2480 3c5b372aa33ebe20daab985078fe9ced.exe 2732 vuogul.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2732 2480 3c5b372aa33ebe20daab985078fe9ced.exe 91 PID 2480 wrote to memory of 2732 2480 3c5b372aa33ebe20daab985078fe9ced.exe 91 PID 2480 wrote to memory of 2732 2480 3c5b372aa33ebe20daab985078fe9ced.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c5b372aa33ebe20daab985078fe9ced.exe"C:\Users\Admin\AppData\Local\Temp\3c5b372aa33ebe20daab985078fe9ced.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\vuogul.exe"C:\Users\Admin\vuogul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD56a469668fd2b345de69df02bec850f62
SHA124865e9bf0d38dd9aab16d7c195c74b214f0c132
SHA25652497bc8838f1210a9d18f1179e43caee50399497eca87fa4984f98f902013c9
SHA5121e0f64a4991aab57a4ddf4325e2c5b59a81c006ec00354449646b2db183160bfa6990e01afc44f6c16c12d1a8c81b884e646210bef404d885373bdc0e56900e0