75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248

General

Target

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
Size

56KB
MD5

254ffe1185bbcd04bf92b11b22208890
SHA1

7655ca62b46f1ab8b71cb979147743e6260f56dd
SHA256

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248
SHA512

1ab674c0c57e835ab42bd2a8e80cb0d7b10f2a15083d5f08190dc231398814b9ead4446583697ea622c91984a5502304da8e770110d9523bf2aa5b072ac4bd36
SSDEEP

1536:SOccX9QgnRt9UdLw6BNMyBhXZxHJ6P6D5p/G:Kgz07JjD5p/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

doour.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	doour.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

Executes dropped EXE 1 IoCs

Processes:

doour.exe

pid process

860 doour.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

doour.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /z"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /Q"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /D"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /C"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /k"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /x"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /e"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /w"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /p"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /A"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /j"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /u"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /X"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /i"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /f"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /G"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /r"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /H"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /U"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /S"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /o"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /Y"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /y"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /t"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /d"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /W"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /B"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /R"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /E"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /q"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /O"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /m"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /a"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /g"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /J"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /s"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /l"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /L"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /P"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /V"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /T"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /N"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /F"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /M"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /b"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /n"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /I"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /c"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /v"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /Z"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /h"	doour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\doour = "C:\\Users\\Admin\\doour.exe /K"	doour.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

doour.exe

pid	process
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe
860	doour.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exedoour.exe

pid process

2564 75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
860 doour.exe

pid	process
2564	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
860	doour.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exedoour.exe

description	pid	process	target process
PID 2564 wrote to memory of 860	2564	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	doour.exe
PID 2564 wrote to memory of 860	2564	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	doour.exe
PID 2564 wrote to memory of 860	2564	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe	doour.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
PID 860 wrote to memory of 2564	860	doour.exe	75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe

C:\Users\Admin\AppData\Local\Temp\75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe
"C:\Users\Admin\AppData\Local\Temp\75f63cd6d7fc306475c9a4912ea3b453237ae79e92de7d9c12e1b834ddb00248.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\doour.exe
"C:\Users\Admin\doour.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\doour.exe
Filesize
56KB

MD5
f115bec668bf22a0064922dac43decde

SHA1
9649604e850aa655ca63ab607c7e81bff51ef4c3

SHA256
efabfe8fa10cf9b52c011815a31b55fe16e2fb1331154f88d6afb08ece69f93a

SHA512
028d854e661fc6074b9a1b7f937cf1356ff6a48b12e8564a11c06b78e71118beaaa7d0648455a96a899c9f9a4c3beb537e98b2eac41ffbcdb7593c8c5b95477f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads