e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
Size

224KB
MD5

57e3a3a300f99ad87076de6975a04261
SHA1

f707f6cb91142fc61c729eba75c5902a20b50414
SHA256

e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275
SHA512

92cda2e4d183d11ec2ebdfd07e8cf8dbc94f64dbb88ed27f7f45be494c442c8be0592e53095f63b2f82aaee621b20622288551ec82d59424d033ae1951537c29
SSDEEP

3072:9k6kvZjWnE5b68qaAF/OVLj4UbaxxmLQTi2//9U33T+NVzo:91kBmdaAF4RFSs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yuanuep.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe

Executes dropped EXE 1 IoCs

pid	Process
4912	yuanuep.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /y"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /o"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /n"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /r"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /j"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /k"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /g"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /u"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /w"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /z"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /a"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /i"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /q"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /h"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /d"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /f"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /s"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /t"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /t"	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /e"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /b"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /x"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /p"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /c"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /l"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /m"	yuanuep.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuanuep = "C:\\Users\\Admin\\yuanuep.exe /v"	yuanuep.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe
4912	yuanuep.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
4912	yuanuep.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 4912	3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe	98
PID 3252 wrote to memory of 4912	3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe	98
PID 3252 wrote to memory of 4912	3252	e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe	98

C:\Users\Admin\AppData\Local\Temp\e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
"C:\Users\Admin\AppData\Local\Temp\e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Users\Admin\yuanuep.exe
  "C:\Users\Admin\yuanuep.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yuanuep.exe

Filesize
224KB

MD5
78eb0bcf6275211bf647b8feae964412

SHA1
1c9340e387682c9aa3806e4fe0253279bb7bff54

SHA256
4150476ca388e1beba69c1198ab1da0630a489c9854901e4ecf2c009389ab546

SHA512
9556d95dfa969596b83245e8fb27fb4b70d9395b151ed0c2ba3da2e75ef6aa79bc3161cb242d761d2cb61e524fa9c33c97728daaa6e6132a32dd1469e2718af3

Download Submit