715c181d49d1d0bc6ebeca610899357085ddab5417fec2c634a892c308453896

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef5e8f6f4944c9b9a7337c50be395070.exe
Size

92KB
MD5

ef5e8f6f4944c9b9a7337c50be395070
SHA1

cf2cb4e5f705043b8fc6f2d962128a08a345a7da
SHA256

715c181d49d1d0bc6ebeca610899357085ddab5417fec2c634a892c308453896
SHA512

a45a600a05e58d60ea064a636a81ef478575b7dcdc91009bd6e6f456abd215750a8910d3a2cdb87dd1430ae0e60ac2d1b19de241b0eeae2ccb1feeae4eadb0e5
SSDEEP

1536:5nbcxJWBy5jOJPGwMdKhwjzgnv/dvyvJvSvbvfvLMPHprna:FqJeoauIMP5a

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dooduv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	ef5e8f6f4944c9b9a7337c50be395070.exe

Executes dropped EXE 1 IoCs

pid	Process
3724	dooduv.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /k"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /n"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /B"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /Y"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /K"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /h"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /b"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /v"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /p"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /r"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /V"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /m"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /G"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /x"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /o"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /T"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /e"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /s"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /P"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /S"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /a"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /O"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /D"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /Q"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /N"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /U"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /F"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /H"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /X"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /c"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /w"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /J"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /R"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /g"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /I"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /W"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /u"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /M"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /z"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /d"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /A"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /L"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /Z"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /C"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /j"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /y"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /i"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /f"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /q"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /E"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /t"	dooduv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dooduv = "C:\\Users\\Admin\\dooduv.exe /l"	dooduv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe
3724	dooduv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4992	ef5e8f6f4944c9b9a7337c50be395070.exe
3724	dooduv.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 3724	4992	ef5e8f6f4944c9b9a7337c50be395070.exe	69
PID 4992 wrote to memory of 3724	4992	ef5e8f6f4944c9b9a7337c50be395070.exe	69
PID 4992 wrote to memory of 3724	4992	ef5e8f6f4944c9b9a7337c50be395070.exe	69

C:\Users\Admin\AppData\Local\Temp\ef5e8f6f4944c9b9a7337c50be395070.exe
"C:\Users\Admin\AppData\Local\Temp\ef5e8f6f4944c9b9a7337c50be395070.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\dooduv.exe
  "C:\Users\Admin\dooduv.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3724