3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc

General

Target

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Size

252KB
MD5

4ac1afd1d94d25e4495c8290591f4020
SHA1

fbaed259b8a0a3ee435fe8b5a307aa14fb2b7c2a
SHA256

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc
SHA512

88da364ef35092c553698f7fa8dd6c8439198c875e19b9a1c1410e4196e42cbc06987bc67620ee5d63e9c35b6d105227bf4eeda6aa3d18e06f8b08f7e26600cc
SSDEEP

3072:grAc+x7LaShsNvZ0OgRqTAJcLGGO/xuiEyJeOOeGs5oxnkNzQKtjQx:grghCx/ZLA4PmG6dK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

sioohul.exe3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sioohul.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

Executes dropped EXE 1 IoCs

Processes:

sioohul.exe

pid process

1816 sioohul.exe

pid	process
1816	sioohul.exe

Loads dropped DLL 2 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

pid	process
1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

Adds Run key to start application 2 TTPs 43 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exesioohul.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /D"	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /z"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /f"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /F"	sioohul.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /h"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /Y"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /a"	sioohul.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /v"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /s"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /o"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /K"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /r"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /O"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /q"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /M"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /t"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /e"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /m"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /b"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /E"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /H"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /l"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /i"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /y"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /W"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /T"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /N"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /k"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /G"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /U"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /n"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /X"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /D"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /c"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /Z"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /L"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /I"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /J"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /p"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /d"	sioohul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\sioohul = "C:\\Users\\Admin\\sioohul.exe /C"	sioohul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exesioohul.exe

pid	process
1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe
1816	sioohul.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exesioohul.exe

pid process

1960 3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
1816 sioohul.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

description	pid	process	target process
PID 1960 wrote to memory of 1816	1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	sioohul.exe
PID 1960 wrote to memory of 1816	1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	sioohul.exe
PID 1960 wrote to memory of 1816	1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	sioohul.exe
PID 1960 wrote to memory of 1816	1960	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	sioohul.exe

C:\Users\Admin\AppData\Local\Temp\3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
"C:\Users\Admin\AppData\Local\Temp\3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\sioohul.exe
"C:\Users\Admin\sioohul.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\sioohul.exe

Filesize
252KB

MD5
107635b680e606446bbd7a92c8a38282

SHA1
c28ddaa9bea85e3307b4ddf14ff84f4acaf52236

SHA256
f47a80c3166619a226c6950aa1c0c5e7c43ef9d04728f6d8c277a064d5e4e41f

SHA512
c5eb88c573fb6b7d43097fad0cadb92356a992dba950104f582376eac7be977e16bcf5aa45e27e370cc8d2d3277179180a479708cdb32a33ccc35a909904a5de

Download Submit
C:\Users\Admin\sioohul.exe

Filesize
252KB

MD5
107635b680e606446bbd7a92c8a38282

SHA1
c28ddaa9bea85e3307b4ddf14ff84f4acaf52236

SHA256
f47a80c3166619a226c6950aa1c0c5e7c43ef9d04728f6d8c277a064d5e4e41f

SHA512
c5eb88c573fb6b7d43097fad0cadb92356a992dba950104f582376eac7be977e16bcf5aa45e27e370cc8d2d3277179180a479708cdb32a33ccc35a909904a5de

Download Submit
\Users\Admin\sioohul.exe

Filesize
252KB

MD5
107635b680e606446bbd7a92c8a38282

SHA1
c28ddaa9bea85e3307b4ddf14ff84f4acaf52236

SHA256
f47a80c3166619a226c6950aa1c0c5e7c43ef9d04728f6d8c277a064d5e4e41f

SHA512
c5eb88c573fb6b7d43097fad0cadb92356a992dba950104f582376eac7be977e16bcf5aa45e27e370cc8d2d3277179180a479708cdb32a33ccc35a909904a5de

Download Submit
\Users\Admin\sioohul.exe

Filesize
252KB

MD5
107635b680e606446bbd7a92c8a38282

SHA1
c28ddaa9bea85e3307b4ddf14ff84f4acaf52236

SHA256
f47a80c3166619a226c6950aa1c0c5e7c43ef9d04728f6d8c277a064d5e4e41f

SHA512
c5eb88c573fb6b7d43097fad0cadb92356a992dba950104f582376eac7be977e16bcf5aa45e27e370cc8d2d3277179180a479708cdb32a33ccc35a909904a5de

Download Submit
memory/1816-59-0x0000000000000000-mapping.dmp

Download
memory/1960-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads