fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103

General

Target

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
Size

184KB
MD5

c947851181519af6eeb0cd6d87daf4d6
SHA1

a3b481c5fb84acd61bf7fc53cb83848f904337c1
SHA256

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103
SHA512

4353a28957bf4438aa15fc5137b13683cd2a3c431cc1c50f279cbbcdbff79e93a4be70bcb9e182a9bfc2b8531ca444dfbbc1a7cd2052a867a152a940759ccd26
SSDEEP

3072:1WlMlXL6KvWeRl6Knvmb7/D26DKcAA6vQOm34lK5/si+yS3A:dX5VREKnvmb7/D26DKcV67m34E5/skSw

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exevoeubi.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	voeubi.exe

Executes dropped EXE 1 IoCs

Processes:

voeubi.exe

pid process

3056 voeubi.exe

pid	process
3056	voeubi.exe

Loads dropped DLL 2 IoCs

Processes:

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe

pid	process
3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

voeubi.exefa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /k"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /g"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /o"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /s"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /G"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /z"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /E"	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /C"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /H"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /m"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /q"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /w"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /X"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /T"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /b"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /f"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /u"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /W"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /B"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /p"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /S"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /V"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /K"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /N"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /e"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /J"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /d"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /P"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /x"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /D"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /I"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /t"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /U"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /A"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /i"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /R"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /c"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /h"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /Y"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /M"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /l"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /j"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /Q"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /n"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /a"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /F"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /Z"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /L"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /y"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /O"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /v"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /r"	voeubi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\voeubi = "C:\\Users\\Admin\\voeubi.exe /E"	voeubi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exevoeubi.exe

pid	process
3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe
3056	voeubi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exevoeubi.exe

pid process

3060 fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
3056 voeubi.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe

description	pid	process	target process
PID 3060 wrote to memory of 3056	3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe	voeubi.exe
PID 3060 wrote to memory of 3056	3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe	voeubi.exe
PID 3060 wrote to memory of 3056	3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe	voeubi.exe
PID 3060 wrote to memory of 3056	3060	fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe	voeubi.exe

C:\Users\Admin\AppData\Local\Temp\fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe
"C:\Users\Admin\AppData\Local\Temp\fa313df70dd44a9c8e9b35afeb460e45880b745665eab11bac4f02681692a103.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\voeubi.exe
"C:\Users\Admin\voeubi.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\voeubi.exe

Filesize
184KB

MD5
64bac3ff2ecfe6d6bcd7189f8dea20a3

SHA1
471ca9b7397334d06802cb3c2fce9b1156c3a11c

SHA256
242fb52f43e22f52c2c8ecb7dce5e7a65396cf6d2433de2b3edbb849afec04aa

SHA512
1de975e80c789eb58f2ac339ce008dd871cd5377663fbfd54d19fca5b059c022f1e6966a6ce9397d3871d6b24defe11196b5176d9e10de753d389a3a327d5834

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads