Analysis
-
max time kernel
150s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 22:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe
-
Size
224KB
-
MD5
88b6005a3fd54d704dd8e6cded10533e
-
SHA1
1b17c092950e1ce25579f6b50e5d56f74882e64e
-
SHA256
77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6
-
SHA512
b8c0bb6399a072a0c605ccf7741154fb44947a45e46db5bad2b31e127f3fc33920281201153820435805f031ac2e25199e1b66e6db4dcc9a3ae512f394f49792
-
SSDEEP
6144:GU8cFdn53qLowKnvmb7/D26NID5UR2uNhVc5QTI/MfqZN:GFEn53qLowKnvmb7/D26rVc5AIMfqZN
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xcguuy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe -
Executes dropped EXE 1 IoCs
pid Process 3288 xcguuy.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /s" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /a" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /B" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /T" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /k" 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /X" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /w" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /u" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /M" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /I" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /Z" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /h" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /R" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /x" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /f" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /b" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /J" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /r" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /L" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /m" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /H" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /c" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /q" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /P" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /C" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /n" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /A" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /E" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /i" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /W" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /d" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /U" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /j" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /k" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /e" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /F" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /y" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /Q" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /O" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /S" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /o" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /K" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /l" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /t" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /V" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /z" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /p" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /v" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /N" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /D" xcguuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xcguuy = "C:\\Users\\Admin\\xcguuy.exe /Y" xcguuy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe 3288 xcguuy.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 3288 xcguuy.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 760 wrote to memory of 3288 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 93 PID 760 wrote to memory of 3288 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 93 PID 760 wrote to memory of 3288 760 77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe"C:\Users\Admin\AppData\Local\Temp\77e05f40f5aa4ff8286bea0bc677c5476d27fc44269d784ebc088993fe2ff6d6.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\xcguuy.exe"C:\Users\Admin\xcguuy.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5f197a2451b25e651b1b75651596996b5
SHA1a69f72086408153aab3c71b9039cfda579718095
SHA25633daacc340c1c0c3ca63ac9b067a086e5cd6667067dad564eb058ec98abd3990
SHA5123bc99868aae209abf783523b827a5b5af2a9aa96f32052dbd3172a348fa1b16c91e2ce4b92be6f64b4ee0fc5b2867e07d1cf1534c3452b2b20cd9e4ebc508504