cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317

General

Target

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
Size

368KB
MD5

e0e79354e6b6234d87efdbf52c232657
SHA1

b4f62408f5e143cb8a2d82cfdbc6b7d4021a5580
SHA256

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317
SHA512

e9bfc75304e7f962f7ccacd46878b58a72782bc73a7d8960edf1dbfc129033206f3abae7f9331bd9fb428213caa4e343aabd6e7b195e992dbe6f4257fd3f918a
SSDEEP

1536:s0PkF42Z/Hmkiw+667MIBf28zPJtC6IoD/QWgxektFAo11Sq:TPA42mLf2RxIfq

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

teayoel.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	teayoel.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe

Executes dropped EXE 1 IoCs

Processes:

teayoel.exe

pid process

2800 teayoel.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

teayoel.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /p"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /B"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /R"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /V"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /H"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /O"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /J"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /I"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /y"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /r"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /e"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /a"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /o"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /q"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /g"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /E"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /c"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /K"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /L"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /Q"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /u"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /Y"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /z"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /C"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /m"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /X"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /M"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /S"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /h"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /d"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /D"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /Z"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /T"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /G"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /b"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /v"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /U"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /w"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /x"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /N"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /k"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /s"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /i"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /j"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /l"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /f"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /F"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /A"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /t"	teayoel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\teayoel = "C:\\Users\\Admin\\teayoel.exe /W"	teayoel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exeteayoel.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teayoel.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

teayoel.exe

pid	process
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe
2800	teayoel.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exeteayoel.exe

pid process

4520 cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
2800 teayoel.exe

pid	process
4520	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
2800	teayoel.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exeteayoel.exe

description	pid	process	target process
PID 4520 wrote to memory of 2800	4520	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe	teayoel.exe
PID 4520 wrote to memory of 2800	4520	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe	teayoel.exe
PID 4520 wrote to memory of 2800	4520	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe	teayoel.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
PID 2800 wrote to memory of 4520	2800	teayoel.exe	cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe

C:\Users\Admin\AppData\Local\Temp\cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe
"C:\Users\Admin\AppData\Local\Temp\cff19385f9abc2d4c672c64c94ae4ebea2dd74e5abd17464f08809d3aebe6317.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\teayoel.exe
  "C:\Users\Admin\teayoel.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\teayoel.exe

Filesize
368KB

MD5
a3a43207c362a7d1b89ed5a3016de83b

SHA1
94cfe1501c0be52dafac256ad5bf97782e9d5aff

SHA256
1402acc0c45bb4211237485fededa3697926bb2088e10b3b2a4c197c61e69068

SHA512
0c269f2d31bd2604fa6cd9fd4b82f7c117baf2078401899a7effcab67a91aef77ec7b6de2b1f5569181b741aa45dcd519f3cd247a4b57b9d8482e3fd9e5825fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads