Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 06:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7e98857aeb3d3cefd67a5aee688eb30.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c7e98857aeb3d3cefd67a5aee688eb30.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c7e98857aeb3d3cefd67a5aee688eb30.exe
-
Size
44KB
-
MD5
c7e98857aeb3d3cefd67a5aee688eb30
-
SHA1
b4f42188c4f64e6148d5313107986afa526af4c2
-
SHA256
715cb554fd042a4a6546ffcb4c0f08cd76d7c6dad50c0dc0751f15ebaf4d9adb
-
SHA512
49eb5c79246df201d11d9676f6c8d87a6d4da7d112a52cc7a314e84ff900bbd36251e5c3ecbd092efb700cb1216a28be752bf9d1cc98642d6b623ae2ce0ba1b3
-
SSDEEP
768:XX/Hdq9VktXe04H7cHPHYmug6UXQm1dIZE2ocOT77e:XSkoHyj6S3T77
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tiuopu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c7e98857aeb3d3cefd67a5aee688eb30.exe -
Executes dropped EXE 1 IoCs
pid Process 4604 tiuopu.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiuopu = "C:\\Users\\Admin\\tiuopu.exe" tiuopu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe 4604 tiuopu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1852 c7e98857aeb3d3cefd67a5aee688eb30.exe 4604 tiuopu.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 4604 1852 c7e98857aeb3d3cefd67a5aee688eb30.exe 102 PID 1852 wrote to memory of 4604 1852 c7e98857aeb3d3cefd67a5aee688eb30.exe 102 PID 1852 wrote to memory of 4604 1852 c7e98857aeb3d3cefd67a5aee688eb30.exe 102 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95 PID 4604 wrote to memory of 1852 4604 tiuopu.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7e98857aeb3d3cefd67a5aee688eb30.exe"C:\Users\Admin\AppData\Local\Temp\c7e98857aeb3d3cefd67a5aee688eb30.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\tiuopu.exe"C:\Users\Admin\tiuopu.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:4980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD55a4cc05a5d2b909f0f1e9a7a2bcc1522
SHA1898f8dd5697be0b30ba45ba94a80d1b995b2abce
SHA256fbbe39fea93f6a3d0799615f58ac95b2812c7c6292cb90e366b8bc4965c56114
SHA512d58faf7cf49d7f65fedb75daa9009914fd0647bfbdb56d4ab93ae9145913938bcd10e7a30ab908b34b0fa9cfae0239df3350c6738615c18354506eb48fe3a6b2