53dd2e099b3d876e8924d47993d8f5645ffad9fe2ab201795a935f15ccda9cc4

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c8612f86459c3b85d5563839ae979e4.exe
Size

240KB
MD5

8c8612f86459c3b85d5563839ae979e4
SHA1

8e8fa2d0a7b255ac175574e8d815dc7ff15f83ad
SHA256

53dd2e099b3d876e8924d47993d8f5645ffad9fe2ab201795a935f15ccda9cc4
SHA512

4ecf9c7e083049a7754719d79b9540e08f3052b3baec80356e38a516b8db733b2faa6054eb5beb3cff0d92c70b3b2c62a685988a4e3da4d7e1084750574b26b0
SSDEEP

6144:WyP3dwqsNTNEXGlQR58EqxF6snji81RUinKq3aEESliDII:WGdQKjeaEEpL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8c8612f86459c3b85d5563839ae979e4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tuaki.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	tuaki.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	8c8612f86459c3b85d5563839ae979e4.exe
1700	8c8612f86459c3b85d5563839ae979e4.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /e"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /o"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /f"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /y"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /w"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /g"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /a"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /t"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /x"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /l"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /m"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /u"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /h"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /i"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /k"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /z"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /q"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /b"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /n"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /v"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /r"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /g"	8c8612f86459c3b85d5563839ae979e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /p"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /c"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /j"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /d"	tuaki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuaki = "C:\\Users\\Admin\\tuaki.exe /s"	tuaki.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	8c8612f86459c3b85d5563839ae979e4.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe
2560	tuaki.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	8c8612f86459c3b85d5563839ae979e4.exe
2560	tuaki.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2560	1700	8c8612f86459c3b85d5563839ae979e4.exe	28
PID 1700 wrote to memory of 2560	1700	8c8612f86459c3b85d5563839ae979e4.exe	28
PID 1700 wrote to memory of 2560	1700	8c8612f86459c3b85d5563839ae979e4.exe	28
PID 1700 wrote to memory of 2560	1700	8c8612f86459c3b85d5563839ae979e4.exe	28

C:\Users\Admin\AppData\Local\Temp\8c8612f86459c3b85d5563839ae979e4.exe
"C:\Users\Admin\AppData\Local\Temp\8c8612f86459c3b85d5563839ae979e4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\tuaki.exe
  "C:\Users\Admin\tuaki.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\tuaki.exe

Filesize
240KB

MD5
2c560ebee755aa06b2e9648c45bf29d0

SHA1
48f78866fcc1b78bc5696a5ef581c5149c495f2d

SHA256
6e9a5174c1ae2ef36088bacd6b272b1a358e2e68c8bc6987fdf0e158ca400f28

SHA512
a6e2962c1eb61562e30b274a9eb796e8ccd318b174aa88d6175904a5de11987cd3a2f1c70182aa880694fad2205ce3f79302767c469b3d624ae14fafab63a107

Download Submit