4a283297db04768ed3aca094eb3809c7fb1d999ec23ceac76ed863c027679e9c

Analysis

max time kernel
18s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 06:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

483af4df1d32d0b42c2d2de96076b101.exe
Size

264KB
MD5

483af4df1d32d0b42c2d2de96076b101
SHA1

8d755ee5cde779bbc7a4e8d9b97f8bdf7724cfa0
SHA256

4a283297db04768ed3aca094eb3809c7fb1d999ec23ceac76ed863c027679e9c
SHA512

070221d677c0fe3247029a27aa056dd0c10841ba37ada3740d2185df8496b778e5cedb515fc01923d5afd890cadcceb8b6f05e903fa873aef810b95ba6123ff7
SSDEEP

3072:xPwtfawLngGi1zrmQG3SwRSxs7mb1GFbaXVDz0t7I0pjivk6CAxD34H:xotvjgd1vF3FxsfwtS7I0KbC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	483af4df1d32d0b42c2d2de96076b101.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	saomun.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	483af4df1d32d0b42c2d2de96076b101.exe

Executes dropped EXE 1 IoCs

pid	Process
4468	saomun.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saomun = "C:\\Users\\Admin\\saomun.exe /w"	483af4df1d32d0b42c2d2de96076b101.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\saomun = "C:\\Users\\Admin\\saomun.exe /i"	saomun.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	saomun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	saomun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	483af4df1d32d0b42c2d2de96076b101.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	483af4df1d32d0b42c2d2de96076b101.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	483af4df1d32d0b42c2d2de96076b101.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2056	483af4df1d32d0b42c2d2de96076b101.exe
2056	483af4df1d32d0b42c2d2de96076b101.exe
4468	saomun.exe
4468	saomun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2056	483af4df1d32d0b42c2d2de96076b101.exe
4468	saomun.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 4468	2056	483af4df1d32d0b42c2d2de96076b101.exe	99
PID 2056 wrote to memory of 4468	2056	483af4df1d32d0b42c2d2de96076b101.exe	99
PID 2056 wrote to memory of 4468	2056	483af4df1d32d0b42c2d2de96076b101.exe	99

C:\Users\Admin\AppData\Local\Temp\483af4df1d32d0b42c2d2de96076b101.exe
"C:\Users\Admin\AppData\Local\Temp\483af4df1d32d0b42c2d2de96076b101.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\saomun.exe
  "C:\Users\Admin\saomun.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\saomun.exe

Filesize
264KB

MD5
483af4df1d32d0b42c2d2de96076b101

SHA1
8d755ee5cde779bbc7a4e8d9b97f8bdf7724cfa0

SHA256
4a283297db04768ed3aca094eb3809c7fb1d999ec23ceac76ed863c027679e9c

SHA512
070221d677c0fe3247029a27aa056dd0c10841ba37ada3740d2185df8496b778e5cedb515fc01923d5afd890cadcceb8b6f05e903fa873aef810b95ba6123ff7

Download Submit