3316bec72997d8b2d923f9b8e53cae640116ca90e86db98d8c53f345796840ab

Analysis

max time kernel
119s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 09:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d04bbb64aa6ebec0f04542b1844fd4b0N.exe
Size

156KB
MD5

d04bbb64aa6ebec0f04542b1844fd4b0
SHA1

043c0172875069d3594c5f8504a28c855051f158
SHA256

3316bec72997d8b2d923f9b8e53cae640116ca90e86db98d8c53f345796840ab
SHA512

fc84eb2440fbc24c922aa4deac6683324a3c3f29ed89ec09b5c9cf820b51cd368cd9497dc755cfdd0871cd29f99990a41f8df1fb6f333c0865074fe6a4f55457
SSDEEP

3072:pHpLdUxOFxlLzrQF0T8ZnPZihF3KYGnUujyOjs6UvVXIR6CE5j4oQ:ZyOFxxrQJ0r3KYGnljw6AXfd

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gueukal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d04bbb64aa6ebec0f04542b1844fd4b0N.exe

Executes dropped EXE 1 IoCs

pid	Process
5072	gueukal.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /G"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /T"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /u"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /y"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /h"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /H"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /j"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /N"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /s"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /B"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /W"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /n"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /F"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /q"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /m"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /v"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /S"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /I"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /k"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /p"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /Q"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /g"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /K"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /X"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /M"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /J"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /U"	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /L"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /C"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /z"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /f"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /O"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /b"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /x"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /l"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /o"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /d"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /A"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /i"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /P"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /w"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /Z"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /t"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /Y"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /c"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /e"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /U"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /a"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /D"	gueukal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gueukal = "C:\\Users\\Admin\\gueukal.exe /V"	gueukal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gueukal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe
5072	gueukal.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe
5072	gueukal.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 5072	4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe	89
PID 4456 wrote to memory of 5072	4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe	89
PID 4456 wrote to memory of 5072	4456	d04bbb64aa6ebec0f04542b1844fd4b0N.exe	89

C:\Users\Admin\AppData\Local\Temp\d04bbb64aa6ebec0f04542b1844fd4b0N.exe
"C:\Users\Admin\AppData\Local\Temp\d04bbb64aa6ebec0f04542b1844fd4b0N.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\gueukal.exe
  "C:\Users\Admin\gueukal.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gueukal.exe

Filesize
156KB

MD5
8fc3446254c54a50e954bdb3fa1b7ae4

SHA1
b56d34b4ea0f17aacf04fcb687f7bed58420c2b2

SHA256
2b8903f717464306caf942925cc9c28d5a0b19d37f46ce6d91dd498f007b067a

SHA512
3c88c937c4a97d1302904af4a814a3305f71d259f32a73af2bb46989566fe4f0e01990898b4d4c247c1a5580dba1f3e4d9fd8a7a86653db5bf505afad59828ff

Download Submit