Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2024 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2b581bd01b5c6df772737c6399fec02.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f2b581bd01b5c6df772737c6399fec02.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f2b581bd01b5c6df772737c6399fec02.exe
-
Size
256KB
-
MD5
f2b581bd01b5c6df772737c6399fec02
-
SHA1
a9dd8e0b7a35b9eb79eac5960e7a1b170c9387f9
-
SHA256
0eb673f0b537e7e9c7afeee664b738a4027f8ec0d3a3040ada40725529f5c62d
-
SHA512
e1d4ab0ba3778e25d540f0093e96e536914a9dd60102c6e775b666e26d2358838ac6cdb4531d6a944ff2ea3b816486c5464af7e761ed6d5057d6b4617fe3b3f2
-
SSDEEP
6144:WBawbQXn2J5V2aWOKojDOgbTnNkyjZjjO:WAwbQWoOKojDOgbTNku
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" daoukaz.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f2b581bd01b5c6df772737c6399fec02.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation f2b581bd01b5c6df772737c6399fec02.exe -
Executes dropped EXE 1 IoCs
pid Process 1608 daoukaz.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /q" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /y" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /p" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /z" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /w" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /e" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /i" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /b" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /f" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /s" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /m" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /o" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /c" f2b581bd01b5c6df772737c6399fec02.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /h" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /a" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /n" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /d" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /t" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /x" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /v" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /j" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /k" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /c" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /u" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /l" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /g" daoukaz.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\daoukaz = "C:\\Users\\Admin\\daoukaz.exe /r" daoukaz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 f2b581bd01b5c6df772737c6399fec02.exe 5016 f2b581bd01b5c6df772737c6399fec02.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe 1608 daoukaz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5016 f2b581bd01b5c6df772737c6399fec02.exe 1608 daoukaz.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5016 wrote to memory of 1608 5016 f2b581bd01b5c6df772737c6399fec02.exe 93 PID 5016 wrote to memory of 1608 5016 f2b581bd01b5c6df772737c6399fec02.exe 93 PID 5016 wrote to memory of 1608 5016 f2b581bd01b5c6df772737c6399fec02.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2b581bd01b5c6df772737c6399fec02.exe"C:\Users\Admin\AppData\Local\Temp\f2b581bd01b5c6df772737c6399fec02.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\daoukaz.exe"C:\Users\Admin\daoukaz.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD5c3106bf6bd89549ab61098a341c7aff3
SHA12db15d5bf4ba91a70ab3d0c16bb252dc30874e06
SHA2564add51ce87f4be6d9b76aa61ba01009a2691a3ea73010085d2bdd6012edf49e9
SHA51237fffdcf1caf13cd1696a84df8ab88396bc348babdffcdfe74c04c0fad46bd3cbeab015e6f36b316f091e555f0bbf4068e2d208fb5eeb8275e91294ce72467de
-
Filesize
256KB
MD5c2b964f7899aa208cd55b07e56d56e87
SHA1c1b7b54d15c030783a92593c980371b9f45e7b74
SHA25633746e9c96ea01fa8c8ef6477ead4ac22c2329735f78964abbd060aeb2fa97cd
SHA512a70d3ee5e3287250304f4aa64a55a112390e5be5034604266063e24a94aec5291a367ce91046b756a8996d708ef800cf6de07f8357657c609c162f9562439d1c
-
Filesize
64KB
MD5d25220339f9129604e33dfe3579ca23c
SHA1c5358170aa72fe33df82b024ba0802b8d7207515
SHA2560b874b3f214edd80ca8139f461fce66a61513d2f9d0a90011e3d384ff75fed82
SHA512d2e6cc6322a0f1bf8dac3786203652cbf852cb5e30f961f4da53ecf02ed8360caa3f5434c4ef87f2294dbee4c79d7dc05934bd8d74306057aa835743358b02e9