Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 18:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7529babe2d26fe59fdad435594befd91.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
7529babe2d26fe59fdad435594befd91.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
7529babe2d26fe59fdad435594befd91.exe
-
Size
48KB
-
MD5
7529babe2d26fe59fdad435594befd91
-
SHA1
c1c5e1b70ba94ee4a8e7f365c80dfd8abe297250
-
SHA256
4ffb4c60ef8649fdb11e0ed86fab9df6e6b34ea1e86417aca1eb9e5ae7f61464
-
SHA512
fab659ca1a11182434d60c2a2b4b98002312a05bae1b1bf4290b69c771cfddc23f259489ce19bbd047795918606bb2d0afaa67ffa613b2ee86669be4713e623c
-
SSDEEP
768:26NEhmqg90TiUv+6wH9H7MfygXaDMFQXD7e:26amLDC6NNDsQXD7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" siuon.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7529babe2d26fe59fdad435594befd91.exe -
Executes dropped EXE 1 IoCs
pid Process 3852 siuon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\siuon = "C:\\Users\\Admin\\siuon.exe" siuon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe 3852 siuon.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3884 7529babe2d26fe59fdad435594befd91.exe 3852 siuon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3884 wrote to memory of 3852 3884 7529babe2d26fe59fdad435594befd91.exe 88 PID 3884 wrote to memory of 3852 3884 7529babe2d26fe59fdad435594befd91.exe 88 PID 3884 wrote to memory of 3852 3884 7529babe2d26fe59fdad435594befd91.exe 88 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85 PID 3852 wrote to memory of 3884 3852 siuon.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7529babe2d26fe59fdad435594befd91.exe"C:\Users\Admin\AppData\Local\Temp\7529babe2d26fe59fdad435594befd91.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\siuon.exe"C:\Users\Admin\siuon.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5188d0b586993ad794cbe24d9a2a98551
SHA1bd6bf8bd8d3a85677c85d929cfb6490fb38a540b
SHA25675dd8e231bbd5d1651c19688e96560432d466884e8723026006b9a2072dfe61f
SHA512d7a2f727aa8e6ba5e443cb0b6db082300fd47cb915d8e9f23abb91657fe4e7218e8b9f08ff17d6052aa83517087fa0c949d46af217112d352080fa014dcb0a26