Analysis
-
max time kernel
154s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 03:03
Static task
static1
Behavioral task
behavioral1
Sample
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe
Resource
win10v2004-20220812-en
General
-
Target
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe
-
Size
260KB
-
MD5
6ec60db3890454a860914148a768a451
-
SHA1
89d1609150580514695d86bcf709ac5dc3e0c8b0
-
SHA256
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7
-
SHA512
78a32d35333320f06e1db498439135a42667f6584bd1d85b73d6cd3757e34a0a22e23791a04d5c4a944bf9c36b8b22ff0fdf97df2a5a72af3396dc4d210db9f5
-
SSDEEP
6144:2dsQgTSrMaIl/jcLijfHFEHWzXvjT85R:2cTSrMaIqLlI/H85R
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
pyhoaq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pyhoaq.exe -
Executes dropped EXE 1 IoCs
Processes:
pyhoaq.exepid process 576 pyhoaq.exe -
Loads dropped DLL 2 IoCs
Processes:
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exepid process 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe -
Adds Run key to start application 2 TTPs 52 IoCs
Processes:
pyhoaq.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /t" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /X" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /d" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /i" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /P" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /J" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /p" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /r" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /E" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /q" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /b" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /G" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /L" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /z" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /s" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /Y" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /j" pyhoaq.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /C" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /x" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /M" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /g" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /D" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /F" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /I" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /T" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /A" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /w" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /c" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /S" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /O" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /U" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /Q" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /e" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /o" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /V" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /K" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /l" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /f" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /y" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /k" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /Z" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /m" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /a" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /h" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /W" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /v" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /B" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /n" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /N" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /u" pyhoaq.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyhoaq = "C:\\Users\\Admin\\pyhoaq.exe /R" pyhoaq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pyhoaq.exepid process 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe 576 pyhoaq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exepyhoaq.exepid process 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe 576 pyhoaq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exedescription pid process target process PID 1928 wrote to memory of 576 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe pyhoaq.exe PID 1928 wrote to memory of 576 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe pyhoaq.exe PID 1928 wrote to memory of 576 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe pyhoaq.exe PID 1928 wrote to memory of 576 1928 9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe pyhoaq.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe"C:\Users\Admin\AppData\Local\Temp\9ad338fd84c70a692d80b8db75ec0901af7bd97fac8faed09ca0b29a13d090c7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\pyhoaq.exe"C:\Users\Admin\pyhoaq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\pyhoaq.exeFilesize
260KB
MD5683e9c48075ce48a320a14c1fb71b647
SHA11a00860d60704409426d1b1e9e543eaf4920c7ac
SHA256cfc9c805466950774df9fd0a90f78cbbb00b16ec0cd97d17cd3bbb1f72e55b4b
SHA5125f65edaa5e5994c3cffdf87a2bc8e983e4350da4b1ad86f6725f6bd96b78f448347e5208e137abb5bc80e9abd0aba1538abb61acd4ed16547a613936de7e978d
-
C:\Users\Admin\pyhoaq.exeFilesize
260KB
MD5683e9c48075ce48a320a14c1fb71b647
SHA11a00860d60704409426d1b1e9e543eaf4920c7ac
SHA256cfc9c805466950774df9fd0a90f78cbbb00b16ec0cd97d17cd3bbb1f72e55b4b
SHA5125f65edaa5e5994c3cffdf87a2bc8e983e4350da4b1ad86f6725f6bd96b78f448347e5208e137abb5bc80e9abd0aba1538abb61acd4ed16547a613936de7e978d
-
\Users\Admin\pyhoaq.exeFilesize
260KB
MD5683e9c48075ce48a320a14c1fb71b647
SHA11a00860d60704409426d1b1e9e543eaf4920c7ac
SHA256cfc9c805466950774df9fd0a90f78cbbb00b16ec0cd97d17cd3bbb1f72e55b4b
SHA5125f65edaa5e5994c3cffdf87a2bc8e983e4350da4b1ad86f6725f6bd96b78f448347e5208e137abb5bc80e9abd0aba1538abb61acd4ed16547a613936de7e978d
-
\Users\Admin\pyhoaq.exeFilesize
260KB
MD5683e9c48075ce48a320a14c1fb71b647
SHA11a00860d60704409426d1b1e9e543eaf4920c7ac
SHA256cfc9c805466950774df9fd0a90f78cbbb00b16ec0cd97d17cd3bbb1f72e55b4b
SHA5125f65edaa5e5994c3cffdf87a2bc8e983e4350da4b1ad86f6725f6bd96b78f448347e5208e137abb5bc80e9abd0aba1538abb61acd4ed16547a613936de7e978d
-
memory/576-59-0x0000000000000000-mapping.dmp
-
memory/1928-56-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB