Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 07:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe
-
Size
89KB
-
MD5
0c186b1f7dfe3cd756de2aa40731aaa8
-
SHA1
102ff61711cd80752f37927a6f63577c39c12d17
-
SHA256
f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181
-
SHA512
c47f02285aaa8b806cdb423772c7f9fbe7af7279d154b5a89659852954f606f9dd8a033b6efead124760ad3c4e0546fe17dd727cd3caae16b8c3605ee20172a3
-
SSDEEP
768:UZrb6K4Fd6eUCRGIIPP1y7oLacaIBLP3ner42Q:UkTFTUCxQ1aZr42Q
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tealuuf.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 tealuuf.exe -
Loads dropped DLL 2 IoCs
pid Process 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /c" f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /c" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /m" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /b" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /o" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /e" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /g" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /w" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /f" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /z" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /q" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /l" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /s" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /h" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /x" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /v" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /a" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /n" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /y" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /k" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /t" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /j" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /d" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /i" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /r" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /u" tealuuf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\tealuuf = "C:\\Users\\Admin\\tealuuf.exe /p" tealuuf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe 2516 tealuuf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 2516 tealuuf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2516 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 28 PID 1968 wrote to memory of 2516 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 28 PID 1968 wrote to memory of 2516 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 28 PID 1968 wrote to memory of 2516 1968 f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe"C:\Users\Admin\AppData\Local\Temp\f977425dcf5425a8a70435265c75262925951991453e958b1a305005da12a181.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\tealuuf.exe"C:\Users\Admin\tealuuf.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5ff74cb720fdc0bfedb430e3143229058
SHA1b7afc53f5f221a6548a430a0a607459aeba54707
SHA2567c51c772c95a1e6625db8511a815addda5f90a67b1c1d5bfe97b339fb3cbf242
SHA512ed3ebb4dbb8ec734f0806e9c2d332c655fbd7839385f2823ab5e50ff1b728df7241ca7d5c91d18751468baf4f8254dfe36c36d79a314ac04983b32cffa11d570