Analysis
-
max time kernel
194s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 15:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b7ca9b2989cf62862499a3f150b1971f.exe
Resource
win7-20240220-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
b7ca9b2989cf62862499a3f150b1971f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b7ca9b2989cf62862499a3f150b1971f.exe
-
Size
172KB
-
MD5
b7ca9b2989cf62862499a3f150b1971f
-
SHA1
00d7f74dd546afc1f9de33067f6d62154a9ab3a6
-
SHA256
75f8f2ba30b736d4f971cca1d2f2efcd69489f8f31a786f2fba61781e49ae22b
-
SHA512
914fb86bb41571108938ce2adb1ef428c4c59353bae48820cbdc1d0dc1747848bc03ae2127b971b7914fece7eff145f0d1081ffc08c27320327dd07aa4b3fd28
-
SSDEEP
3072:tLBNUGAEbN01MiK/fObT/bGikHk6xI66XwiY+ZAcj5AHZdWUViBuAZdn:lUGAEbNsK/fObT/bGikE6xI1XwiY+ZA4
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b7ca9b2989cf62862499a3f150b1971f.exe Set value (int) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xaofuo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation b7ca9b2989cf62862499a3f150b1971f.exe -
Executes dropped EXE 1 IoCs
pid Process 2068 xaofuo.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /T" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /J" b7ca9b2989cf62862499a3f150b1971f.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /G" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /V" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /K" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /L" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /R" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /f" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /w" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /z" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /C" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /W" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /v" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /q" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /l" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /y" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /g" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /h" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /Z" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /s" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /x" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /I" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /O" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /U" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /b" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /t" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /P" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /d" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /E" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /F" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /j" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /o" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /D" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /p" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /S" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /Q" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /Y" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /A" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /e" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /B" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /M" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /n" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /r" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /u" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /J" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /m" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /c" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /N" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /H" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /X" xaofuo.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xaofuo = "C:\\Users\\Admin\\xaofuo.exe /i" xaofuo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3912 b7ca9b2989cf62862499a3f150b1971f.exe 3912 b7ca9b2989cf62862499a3f150b1971f.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe 2068 xaofuo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3912 b7ca9b2989cf62862499a3f150b1971f.exe 2068 xaofuo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3912 wrote to memory of 2068 3912 b7ca9b2989cf62862499a3f150b1971f.exe 90 PID 3912 wrote to memory of 2068 3912 b7ca9b2989cf62862499a3f150b1971f.exe 90 PID 3912 wrote to memory of 2068 3912 b7ca9b2989cf62862499a3f150b1971f.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7ca9b2989cf62862499a3f150b1971f.exe"C:\Users\Admin\AppData\Local\Temp\b7ca9b2989cf62862499a3f150b1971f.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\xaofuo.exe"C:\Users\Admin\xaofuo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD571210f3a01edc719fa90d901bb2472b4
SHA168bbefa7cb6bf91048151866af83f9aef083421e
SHA2568e1623b476d056f85a2fcdd0ec1d43bf056c14b46d5b10ae08f9cc1bdbcd8e4c
SHA5122cdbf742216adced7e08f4ad285c405b55259bc3bdfc704cc44c2daa7669bed0a9773f6480e53531b64d64beb5c832aee65f1897ab5212fcf1a6f7eb8526fd97