Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15/03/2024, 23:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe
-
Size
408KB
-
MD5
05cbdbb5a8925ed51277957c2de287c0
-
SHA1
48e565d05fe6c8cf7f5785cd2687335eb8f143e4
-
SHA256
cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19
-
SHA512
877de4534bbf473426852b7b11467d5fc1e72a1d85e34712fc9ce9420b54e25d2e88bfc07daaefbc2e82479c9e847c750cbf1cd35306dd8ab4653e7aaf488f97
-
SSDEEP
6144:SzY8fGmZ9oKpYdGizwhGt7k9dcKCdEkR2OAkmQxkpnUMgpmDJOGExOfKdLK/P2S9:CTZ9duukRX8WkpnUMuGExOfW+/P2SQ/+
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" raobi.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 raobi.exe -
Loads dropped DLL 2 IoCs
pid Process 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /I" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /L" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /c" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /C" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /V" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /a" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /D" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /h" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /b" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /M" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /e" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /N" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /g" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /P" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /A" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /x" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /p" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /S" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /t" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /w" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /n" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /T" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /B" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /u" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /Z" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /d" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /y" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /z" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /U" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /v" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /E" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /r" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /K" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /i" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /O" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /W" cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /o" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /m" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /X" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /R" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /s" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /j" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /k" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /G" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /H" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /J" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /f" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /W" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /F" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /Y" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /Q" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /l" raobi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\raobi = "C:\\Users\\Admin\\raobi.exe /q" raobi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe 2736 raobi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 2736 raobi.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2736 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 28 PID 1756 wrote to memory of 2736 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 28 PID 1756 wrote to memory of 2736 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 28 PID 1756 wrote to memory of 2736 1756 cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe"C:\Users\Admin\AppData\Local\Temp\cde562b27c09719b9fd33a3dfecb52eef364037fa85c1e7767c49e4da4c07f19.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\raobi.exe"C:\Users\Admin\raobi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5c8d468c3a3e765529976cb7843b9300b
SHA114f162a1c73075b8e52f300f835db4f86be14833
SHA256445ef77fa4cbfd7809c97b73070a6e5efca47fa141d6a3b30e17b9db156c10fd
SHA5127fbdeeb0010fdac9fc21d062d5a8b0196856609478cd42052e2431223652765762222cd3de8c24be6dd9bbec005dade520c64461e7b907d044a46fd2e5df3232