Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 22:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9d12eca6524fb1279ce3fa7a1f5317f.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9d12eca6524fb1279ce3fa7a1f5317f.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c9d12eca6524fb1279ce3fa7a1f5317f.exe
-
Size
264KB
-
MD5
c9d12eca6524fb1279ce3fa7a1f5317f
-
SHA1
31d64932d863b2446c17c6fdc854d72c1a02aada
-
SHA256
7cf08f77c02c7812767b2fcbbbea6d6f0152391acaf3bc6e4e9ea2a45b186eb1
-
SHA512
ec2cb241e95a51537f109b4918f90ec9c184dac9bc84402845fd7a8bc364fd6621ca6d9201e866076b71338e8835b29a8b9e9cd2b02f2ac2b7b427a1b2285848
-
SSDEEP
3072:cMWfN8cli4EFm4SRbyA/0IobzeiDNzFuORuBJtq6I2Jta2esH7OjGSHS5jeghFVg:chirmFSbuB1I2bGHg11
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raafeo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c9d12eca6524fb1279ce3fa7a1f5317f.exe -
Executes dropped EXE 1 IoCs
pid Process 872 raafeo.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /i" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /o" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /Y" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /p" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /S" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /L" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /E" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /w" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /c" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /d" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /m" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /O" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /V" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /n" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /y" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /f" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /B" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /a" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /b" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /C" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /s" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /K" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /R" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /j" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /q" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /J" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /g" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /z" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /X" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /u" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /e" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /D" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /r" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /Z" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /Q" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /v" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /G" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /A" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /k" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /M" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /F" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /N" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /W" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /h" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /P" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /t" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /U" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /x" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /T" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /I" raafeo.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raafeo = "C:\\Users\\Admin\\raafeo.exe /l" raafeo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe 872 raafeo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4572 c9d12eca6524fb1279ce3fa7a1f5317f.exe 872 raafeo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4572 wrote to memory of 872 4572 c9d12eca6524fb1279ce3fa7a1f5317f.exe 100 PID 4572 wrote to memory of 872 4572 c9d12eca6524fb1279ce3fa7a1f5317f.exe 100 PID 4572 wrote to memory of 872 4572 c9d12eca6524fb1279ce3fa7a1f5317f.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9d12eca6524fb1279ce3fa7a1f5317f.exe"C:\Users\Admin\AppData\Local\Temp\c9d12eca6524fb1279ce3fa7a1f5317f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\raafeo.exe"C:\Users\Admin\raafeo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:4028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
183KB
MD5c59775651166333866efba1fc9598df8
SHA1ee72c4eed389321172e1b5b83ad014210daa2940
SHA2568142ff006cfa801ac3cef5ff692e45e509501bd8930f3edc9882d4f29b5f7d92
SHA5128f312ee9ebd592022f24a6d8d06769232664c5ddfee8dc086266dba8ccc2c18164c631737de59310a985c9858372d3d958d8f150856130a1fd24416720c18518
-
Filesize
264KB
MD5f5fa3b0f99aff98826897a507940594f
SHA1ed09c65386e918e579eb42c559b885bcb258ed39
SHA25692260f0dfcaeefc4d33f5a74135bbb40341aead500779dfef12650acec79b931
SHA51270b347b0a82d060933fd940013fe95821eb29ce106aaad6cfb7bc4868bf6cac324c05394b3b477f975a861192e5dbcbe2e4f4dbec676ae3a97f0c6cb4072100f