169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe
Size

310KB
MD5

5d6487ad4a77ff669cc2292d79dcb060
SHA1

71a9ac2c74777b9b36a3bea0543ba86a5dc00468
SHA256

169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d
SHA512

539621546849a19ef9c9ebb2efead9c8f11669503f8ab41b16b70367653a69058a3db61a7f43e431fd2003f2f69a40ca5b8ec069dc1aa03285ed1211e5ee1f9d
SSDEEP

6144:v8Q32/5jQ7TAN6nTi4WZy5smdxX7uJOt5dLFADkBmCzED:UQ3z769yR/X6kSDYzED

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
984	hiobic.exe

Deletes itself 1 IoCs

pid	Process
1368	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe
2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	hiobic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hiobic = "C:\\Users\\Admin\\AppData\\Roaming\\Gyyt\\hiobic.exe"	hiobic.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe
984	hiobic.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 984	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	27
PID 2028 wrote to memory of 984	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	27
PID 2028 wrote to memory of 984	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	27
PID 2028 wrote to memory of 984	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	27
PID 984 wrote to memory of 1264	984	hiobic.exe	9
PID 984 wrote to memory of 1264	984	hiobic.exe	9
PID 984 wrote to memory of 1264	984	hiobic.exe	9
PID 984 wrote to memory of 1264	984	hiobic.exe	9
PID 984 wrote to memory of 1264	984	hiobic.exe	9
PID 984 wrote to memory of 1340	984	hiobic.exe	16
PID 984 wrote to memory of 1340	984	hiobic.exe	16
PID 984 wrote to memory of 1340	984	hiobic.exe	16
PID 984 wrote to memory of 1340	984	hiobic.exe	16
PID 984 wrote to memory of 1340	984	hiobic.exe	16
PID 984 wrote to memory of 1400	984	hiobic.exe	15
PID 984 wrote to memory of 1400	984	hiobic.exe	15
PID 984 wrote to memory of 1400	984	hiobic.exe	15
PID 984 wrote to memory of 1400	984	hiobic.exe	15
PID 984 wrote to memory of 1400	984	hiobic.exe	15
PID 984 wrote to memory of 2028	984	hiobic.exe	26
PID 984 wrote to memory of 2028	984	hiobic.exe	26
PID 984 wrote to memory of 2028	984	hiobic.exe	26
PID 984 wrote to memory of 2028	984	hiobic.exe	26
PID 984 wrote to memory of 2028	984	hiobic.exe	26
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28
PID 2028 wrote to memory of 1368	2028	169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe	28

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1264

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe
  "C:\Users\Admin\AppData\Local\Temp\169826082eb73760c3100a4b6ea7376ce92ac088a1119e4bd6edfa5f65de535d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe
    "C:\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf35b73f2.bat"
    3⤵
    - Deletes itself
    PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf35b73f2.bat

Filesize
307B

MD5
eb26876874d6f955cdd1be28b6661376

SHA1
a38ff8eae3772035bd5b4d6d40c6aa1d01a322e2

SHA256
beefdb6c41c7207091012a1e53f004008aadeeb1e88c84610fb7b35f0f3a2177

SHA512
d46c741f4a2e82f42c29f39853b23bee33c0074d823b619d13b765cd21d559d55da5efd512640eb12d81d3906be395afaf3a7a5c6053bf7b9851fa208604690d

Download Submit
C:\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe

Filesize
310KB

MD5
d23d20fd5380f0e34e7b0e92b66583f9

SHA1
a6bf252b72195440c92cc434d100ae62c9cafc34

SHA256
0a6c1d828de0f6b829c56b6bcd6238409274ce689e7f7619a4c293869695636a

SHA512
f2a66ef00e599b2df5a31c8632c528a8f989f7b4d16d63ed1f813e9b939003f922176817569c7a0a6b98559c8c7f6fcf378cad94b5c878583507f76918071cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe

Filesize
310KB

MD5
d23d20fd5380f0e34e7b0e92b66583f9

SHA1
a6bf252b72195440c92cc434d100ae62c9cafc34

SHA256
0a6c1d828de0f6b829c56b6bcd6238409274ce689e7f7619a4c293869695636a

SHA512
f2a66ef00e599b2df5a31c8632c528a8f989f7b4d16d63ed1f813e9b939003f922176817569c7a0a6b98559c8c7f6fcf378cad94b5c878583507f76918071cd1

Download Submit
\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe

Filesize
310KB

MD5
d23d20fd5380f0e34e7b0e92b66583f9

SHA1
a6bf252b72195440c92cc434d100ae62c9cafc34

SHA256
0a6c1d828de0f6b829c56b6bcd6238409274ce689e7f7619a4c293869695636a

SHA512
f2a66ef00e599b2df5a31c8632c528a8f989f7b4d16d63ed1f813e9b939003f922176817569c7a0a6b98559c8c7f6fcf378cad94b5c878583507f76918071cd1

Download Submit
\Users\Admin\AppData\Roaming\Gyyt\hiobic.exe

Filesize
310KB

MD5
d23d20fd5380f0e34e7b0e92b66583f9

SHA1
a6bf252b72195440c92cc434d100ae62c9cafc34

SHA256
0a6c1d828de0f6b829c56b6bcd6238409274ce689e7f7619a4c293869695636a

SHA512
f2a66ef00e599b2df5a31c8632c528a8f989f7b4d16d63ed1f813e9b939003f922176817569c7a0a6b98559c8c7f6fcf378cad94b5c878583507f76918071cd1

Download Submit
memory/984-62-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1264-65-0x0000000001D20000-0x0000000001D68000-memory.dmp

Filesize
288KB

Download
memory/1264-67-0x0000000001D20000-0x0000000001D68000-memory.dmp

Filesize
288KB

Download
memory/1264-68-0x0000000001D20000-0x0000000001D68000-memory.dmp

Filesize
288KB

Download
memory/1264-70-0x0000000001D20000-0x0000000001D68000-memory.dmp

Filesize
288KB

Download
memory/1264-69-0x0000000001D20000-0x0000000001D68000-memory.dmp

Filesize
288KB

Download
memory/1340-75-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1340-76-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1340-73-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1340-74-0x0000000000120000-0x0000000000168000-memory.dmp

Filesize
288KB

Download
memory/1368-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1368-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1368-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1368-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1368-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1368-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1368-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1400-82-0x00000000026F0000-0x0000000002738000-memory.dmp

Filesize
288KB

Download
memory/1400-81-0x00000000026F0000-0x0000000002738000-memory.dmp

Filesize
288KB

Download
memory/1400-80-0x00000000026F0000-0x0000000002738000-memory.dmp

Filesize
288KB

Download
memory/1400-79-0x00000000026F0000-0x0000000002738000-memory.dmp

Filesize
288KB

Download
memory/2028-86-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download
memory/2028-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/2028-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-103-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download
memory/2028-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2028-88-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download
memory/2028-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2028-87-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download
memory/2028-54-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2028-85-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download