Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 02:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe
-
Size
84KB
-
MD5
3b89f5fff7b469730dcb838ad1036eed
-
SHA1
6bb31fc9b268422ac6b2e4894f8d7360d7051381
-
SHA256
f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4
-
SHA512
bc3d4314960662d78694bd32d8335aaf4f057183754155db7a2f51f960bb962a9f373727512e31975f8f56b9f41f1c66f48c6a895b501d86861dc2bffe40854d
-
SSDEEP
1536:DcIEc5HBkoNhTOWhcPYZxAxMpBd48CArrprdtA2:wIDHNhTOWhcAZxAulJA2
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" voewea.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe -
Executes dropped EXE 1 IoCs
pid Process 4884 voewea.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /h" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /w" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /k" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /j" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /q" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /a" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /f" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /y" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /t" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /e" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /c" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /b" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /z" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /s" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /p" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /v" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /m" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /u" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /g" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /x" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /l" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /r" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /o" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /b" f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /d" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /i" voewea.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\voewea = "C:\\Users\\Admin\\voewea.exe /n" voewea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe 4884 voewea.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 4884 voewea.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3300 wrote to memory of 4884 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 95 PID 3300 wrote to memory of 4884 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 95 PID 3300 wrote to memory of 4884 3300 f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe"C:\Users\Admin\AppData\Local\Temp\f907e36db4d021c03735eef63ec11d0e4a86a5831a74cd367d78fe773ee144b4.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\voewea.exe"C:\Users\Admin\voewea.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD5f1568eb3ca852814ffcd86e9ee8300a7
SHA18fc2cf730390f055d2e31b1431c9a07b6f71cf1f
SHA2562ae46c1f9ee8556a11c3325834e97e41f8c8c3e707f10fa61ebc0cc723a48694
SHA512627cf33f644f812cd1b04b42387f9dae8419f232dd16573acef3607a96f3e99791ec892aec0fbaf7b040f9604da4c45a3440bfff547bf275b1798567eea8e5a6