d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1

General

Target

d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
Size

53KB
MD5

d7e30d3b60915d90fabd9e1d45da1838
SHA1

e9c4d15232439d2d8ec83f47390506a62b692a2b
SHA256

d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1
SHA512

d3b6acd5c47abe37f2b62c4ba6f59bd60569b386881ac257ef758c42a756be87c4485f1395691e750d5eac6a5ca19ca7ba91dc65e9cdeb19557597820037da91
SSDEEP

1536:vN7g8r8Q8A2L1Y7Kp3StjEMjmLM3ztDJWZsXy4JzxPM0:r2L2JJjmLM3zRJWZsXy4J9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

veouq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	veouq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe

Executes dropped EXE 1 IoCs

Processes:

veouq.exe

pid process

924 veouq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

veouq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\veouq = "C:\\Users\\Admin\\veouq.exe"	veouq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

veouq.exe

pid	process
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe
924	veouq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exeveouq.exe

pid process

4620 d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
924 veouq.exe

pid	process
4620	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
924	veouq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exeveouq.exe

description	pid	process	target process
PID 4620 wrote to memory of 924	4620	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe	veouq.exe
PID 4620 wrote to memory of 924	4620	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe	veouq.exe
PID 4620 wrote to memory of 924	4620	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe	veouq.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
PID 924 wrote to memory of 4620	924	veouq.exe	d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe

C:\Users\Admin\AppData\Local\Temp\d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe
"C:\Users\Admin\AppData\Local\Temp\d17f361a08053d856acab983ff369f2439511597ae403209dc07e604fba358a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\veouq.exe
"C:\Users\Admin\veouq.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\veouq.exe

Filesize
53KB

MD5
7606420bf01642750e3da648825d5a05

SHA1
f669ac30842e031eef8dbb5c0725ddb7f47f0401

SHA256
a073b069802f0777a2fe568de95c509f1c7b995dc75b9828b69a00059e816ca9

SHA512
499b1eecd79763cb329eccfaafb6c967d69188432a249d60a208d36b74ef57a562ba88e229736bbf03bb8d14ab4e75bbc80f8865b065f618a2d8eaf27985d9c3

Download Submit
memory/924-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4620-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads