Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 03:59
Static task
static1
Behavioral task
behavioral1
Sample
c265b00a3571eba0b50f3520ed66fde0.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c265b00a3571eba0b50f3520ed66fde0.exe
Resource
win10v2004-20231215-en
General
-
Target
c265b00a3571eba0b50f3520ed66fde0.exe
-
Size
142KB
-
MD5
c265b00a3571eba0b50f3520ed66fde0
-
SHA1
9e40426519aa6b152dab35c7b33371aee53104d5
-
SHA256
26d92a26e274636e5b39303cbff4237e9f4cbd3de9a564f5eebf59003b4cb6a4
-
SHA512
9972b5d86d7c72edb97a27fd7b8f60549b5975d4f944eed1c08be6f1c34988d943d03930ef64df296f10604c0958fa4aa9d8941edcc01ca76eb0d1ed076893f3
-
SSDEEP
3072:n7IF7N4rIbtIrmA9KQcJJ78IrDlq2RzFq247DCLTzltNSFN9b23y0PEOmuHw794h:n+NaL9KQcJJ78IrDlq2RzFq247DCLTzE
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" deuun.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 deuun.exe -
Loads dropped DLL 2 IoCs
pid Process 1160 c265b00a3571eba0b50f3520ed66fde0.exe 1160 c265b00a3571eba0b50f3520ed66fde0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\deuun = "C:\\Users\\Admin\\deuun.exe" deuun.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe 2008 deuun.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1160 c265b00a3571eba0b50f3520ed66fde0.exe 2008 deuun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1160 wrote to memory of 2008 1160 c265b00a3571eba0b50f3520ed66fde0.exe 28 PID 1160 wrote to memory of 2008 1160 c265b00a3571eba0b50f3520ed66fde0.exe 28 PID 1160 wrote to memory of 2008 1160 c265b00a3571eba0b50f3520ed66fde0.exe 28 PID 1160 wrote to memory of 2008 1160 c265b00a3571eba0b50f3520ed66fde0.exe 28 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27 PID 2008 wrote to memory of 1160 2008 deuun.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c265b00a3571eba0b50f3520ed66fde0.exe"C:\Users\Admin\AppData\Local\Temp\c265b00a3571eba0b50f3520ed66fde0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\deuun.exe"C:\Users\Admin\deuun.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
142KB
MD50ca15338df5147e7851fe8170de46f45
SHA147675cf3c3f49e2396e0d45a9fd8787d72de7298
SHA2569c64ecde91643bb216e7d6ffb032d1d592ebccbedbd784bf32242e557198a610
SHA512356a4bff0a0286bec443fa68c5035fbb9f9517ee6c0700841b45d9b707707c2429006bd165454a15a0a454da61822f265b7a0649d0c41e678a0e0941c6c11578