Analysis
-
max time kernel
120s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 12:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f8f47265c5ced444406f6fce24064d0N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9f8f47265c5ced444406f6fce24064d0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
9f8f47265c5ced444406f6fce24064d0N.exe
-
Size
84KB
-
MD5
9f8f47265c5ced444406f6fce24064d0
-
SHA1
da2578a5d80b9e1f38ec59de6722120450a23bd2
-
SHA256
52b398e913cbcdc27ee1e457c2d065ba1b626da70c71dd6af36ac77cc0c3d688
-
SHA512
3e164dc9e5f4cbfff15861c0df5379c8e52c1b932d37edd5a32c251e3cbd44d1a4d025303f607a1b0d844a4b3ddcea3446a45c19ac3c6b07bdd429660ef1e912
-
SSDEEP
1536:Is9dgnE316Lti8n42APNR2dcScLcPcxeTanuUHWOIs3xxNMq39gk34iSf:ME+4PNEdcScLcPcfnuo0X
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9f8f47265c5ced444406f6fce24064d0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tuewal.exe -
Executes dropped EXE 1 IoCs
pid Process 2796 tuewal.exe -
Loads dropped DLL 2 IoCs
pid Process 1904 9f8f47265c5ced444406f6fce24064d0N.exe 1904 9f8f47265c5ced444406f6fce24064d0N.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /k" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /x" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /b" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /a" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /p" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /s" 9f8f47265c5ced444406f6fce24064d0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /j" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /s" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /r" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /e" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /y" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /q" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /m" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /n" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /z" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /h" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /u" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /f" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /l" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /v" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /g" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /i" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /d" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /w" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /c" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /o" tuewal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\tuewal = "C:\\Users\\Admin\\tuewal.exe /t" tuewal.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9f8f47265c5ced444406f6fce24064d0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tuewal.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 9f8f47265c5ced444406f6fce24064d0N.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe 2796 tuewal.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1904 9f8f47265c5ced444406f6fce24064d0N.exe 2796 tuewal.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2796 1904 9f8f47265c5ced444406f6fce24064d0N.exe 31 PID 1904 wrote to memory of 2796 1904 9f8f47265c5ced444406f6fce24064d0N.exe 31 PID 1904 wrote to memory of 2796 1904 9f8f47265c5ced444406f6fce24064d0N.exe 31 PID 1904 wrote to memory of 2796 1904 9f8f47265c5ced444406f6fce24064d0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f8f47265c5ced444406f6fce24064d0N.exe"C:\Users\Admin\AppData\Local\Temp\9f8f47265c5ced444406f6fce24064d0N.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\tuewal.exe"C:\Users\Admin\tuewal.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2796
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD597609d3cb836e58413df64fb87ad76ae
SHA1ddb34fe745e6e5e8c4d78c6c2a7d27b87321bd95
SHA25679fbb4242cfd117b6ffcd56d9feb62d935eac298eda22c473df886730fc21686
SHA51213fb751e5c8aacf2a89787d040dea3e27e2f49011fbeb21ca8bdb57c7cf90dc2bfb4e8cee10ea9de4e4d903f033d777bc33299e56dcaf58d4b58873ed469b86b