Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wxthbsbb48
Target 069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7
SHA256 069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7

Threat Level: Known bad

The file 069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:18

Reported

2024-04-07 18:21

Platform

win7-20240221-en

Max time kernel

155s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\liausu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\liausu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /l" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /f" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /r" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /m" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /i" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /z" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /h" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /r" C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /k" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /a" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /j" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /d" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /w" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /p" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /c" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /e" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /y" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /x" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /v" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /o" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /s" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /n" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /g" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /q" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /u" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /b" C:\Users\Admin\liausu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\liausu = "C:\\Users\\Admin\\liausu.exe /t" C:\Users\Admin\liausu.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
N/A N/A C:\Users\Admin\liausu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe

"C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe"

C:\Users\Admin\liausu.exe

"C:\Users\Admin\liausu.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.chopsuwey.com udp
US 8.8.8.8:53 ns1.chopsuwey.net udp
US 8.8.8.8:53 ns1.chopsuwey.org udp
US 8.8.8.8:53 ns1.chopsuwey.biz udp
US 8.8.8.8:53 ns1.chopsuwey.info udp

Files

\Users\Admin\liausu.exe

MD5 19bc982503198ad73e92a89cf42189f6
SHA1 1f348e970e73a1e73e18677554091c25f962aeaa
SHA256 5a3d68c0d6d6fe10de5a5408f81296793b56765390acaa5a6d9020063d5646d2
SHA512 d2cfdfbb51344dd77fcaa043c0588d918f40f7aa4986514f88f1d56979394478efe2c7e90927d574ddf329aa20746efbfd7e0dad9cbf61c65efaa91d6fa370b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:18

Reported

2024-04-07 18:21

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\sizud.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sizud.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /v" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /q" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /g" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /t" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /h" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /o" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /i" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /b" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /p" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /n" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /x" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /w" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /s" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /u" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /d" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /a" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /k" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /e" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /c" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /z" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /l" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /m" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /j" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /f" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /r" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /y" C:\Users\Admin\sizud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sizud = "C:\\Users\\Admin\\sizud.exe /s" C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe N/A
N/A N/A C:\Users\Admin\sizud.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe

"C:\Users\Admin\AppData\Local\Temp\069bf8bbb54406dabfd37d1f7d88df7846785cbe3404383c546ba8b4e47523d7.exe"

C:\Users\Admin\sizud.exe

"C:\Users\Admin\sizud.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 ns1.chopsuwey.com udp
US 8.8.8.8:53 ns1.chopsuwey.net udp
US 8.8.8.8:53 ns1.chopsuwey.org udp
US 8.8.8.8:53 ns1.chopsuwey.biz udp
US 8.8.8.8:53 ns1.chopsuwey.info udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\sizud.exe

MD5 5421ebba18b769f92f2be34a10ca7901
SHA1 67ad5bccc9b18b3adea9508a16668ad858bfcf04
SHA256 e2f51229b929fdefb2b5b99af94ddbf5c62f70cbfae73eeb33ef2fcd7b4b66f7
SHA512 d6a045e557df8ead15ca0b1faf0dc787bab66bdb30fd8ca8fc14bd01f16eebb97df78cad6c426cf2d631b8a49cab93582a724ea07ea830c29a6105b26584af35