6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352

Analysis

max time kernel
152s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
Size

292KB
MD5

8339c641e1597a6e99c55bcca29a5d8f
SHA1

3a893df1cf3559c251c086a8518698029cbfbfbe
SHA256

6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352
SHA512

8cf000083a27a79180d4d8d50b03bfa1e10eb65fe49d197b2211da1063a64b0dc7d95dddf63bfb39da3ef5b2b9d7fa4203504aa627336476b7cf5779d272da81
SSDEEP

3072:Cn4Od4P9dihOBq7CFLuupaFBzxk7c7awSZohDnjV2S8NmMx3WarRDS5NtpTxzsUi:CSiWLuupszxk7USZoDnp23xmg9AtEU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hioak.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	hioak.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /O"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /A"	hioak.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /W"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /V"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /g"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /p"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /k"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /f"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /r"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /h"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /Y"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /s"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /z"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /J"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /m"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /j"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /E"	hioak.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /B"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /t"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /x"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /S"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /t"	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /U"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /N"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /e"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /H"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /i"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /M"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /y"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /X"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /c"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /I"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /R"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /F"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /a"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /b"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /T"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /P"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /o"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /l"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /D"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /v"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /C"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /L"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /Z"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /n"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /d"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /u"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /K"	hioak.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hioak = "C:\\Users\\Admin\\hioak.exe /q"	hioak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe
1160	hioak.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
1160	hioak.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1160	1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe	26
PID 1424 wrote to memory of 1160	1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe	26
PID 1424 wrote to memory of 1160	1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe	26
PID 1424 wrote to memory of 1160	1424	6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe	26

C:\Users\Admin\AppData\Local\Temp\6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe
"C:\Users\Admin\AppData\Local\Temp\6b00b2eb5b38ce8029ee73e2c768b2ae49dde5806936f0afa13d5e06d41b9352.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\hioak.exe
  "C:\Users\Admin\hioak.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hioak.exe

Filesize
292KB

MD5
f20b4a647f912a9b19c3eacaad32a340

SHA1
272cc40a1cd5c608a15a4dd3b35815a001bd79aa

SHA256
c4632e42a528dc04ef839892418ce62c723595f72e6aa8a0ee61086b1c22654f

SHA512
b2ce47e851cb4b353d04d4c0c6685198b1815f6cd85d8bf064011f40ab68262b1d262e44213a2af961ed9d4aee128045d61bb1ed01687aca3bc9689a6d3713e2

Download Submit
C:\Users\Admin\hioak.exe

Filesize
292KB

MD5
f20b4a647f912a9b19c3eacaad32a340

SHA1
272cc40a1cd5c608a15a4dd3b35815a001bd79aa

SHA256
c4632e42a528dc04ef839892418ce62c723595f72e6aa8a0ee61086b1c22654f

SHA512
b2ce47e851cb4b353d04d4c0c6685198b1815f6cd85d8bf064011f40ab68262b1d262e44213a2af961ed9d4aee128045d61bb1ed01687aca3bc9689a6d3713e2

Download Submit
\Users\Admin\hioak.exe

Filesize
292KB

MD5
f20b4a647f912a9b19c3eacaad32a340

SHA1
272cc40a1cd5c608a15a4dd3b35815a001bd79aa

SHA256
c4632e42a528dc04ef839892418ce62c723595f72e6aa8a0ee61086b1c22654f

SHA512
b2ce47e851cb4b353d04d4c0c6685198b1815f6cd85d8bf064011f40ab68262b1d262e44213a2af961ed9d4aee128045d61bb1ed01687aca3bc9689a6d3713e2

Download Submit
\Users\Admin\hioak.exe

Filesize
292KB

MD5
f20b4a647f912a9b19c3eacaad32a340

SHA1
272cc40a1cd5c608a15a4dd3b35815a001bd79aa

SHA256
c4632e42a528dc04ef839892418ce62c723595f72e6aa8a0ee61086b1c22654f

SHA512
b2ce47e851cb4b353d04d4c0c6685198b1815f6cd85d8bf064011f40ab68262b1d262e44213a2af961ed9d4aee128045d61bb1ed01687aca3bc9689a6d3713e2

Download Submit
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1424-56-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download