9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5

Analysis

max time kernel
195s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
Size

132KB
MD5

2c64d8361467cbf231225f25727b57a8
SHA1

213d4e0c1a1ac045ba42870232110a2dae0af5a9
SHA256

9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5
SHA512

ed61fea00532b1019caa07b6de0c031de3f7a8405d84a18ae05bd0e7556e7ab93b71cd481c1c85c454b999d40128e92b0fadecea91bee8fb517d578562370b2d
SSDEEP

1536:GZm4I/TxyVH6rM2qEbBkIvI4DyQDIws/HmmYbRdfuL0wo7JaS/:yI/TsVH63qEbBkn4e2s/HmlTf1wQd

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hooav.exe

Executes dropped EXE 1 IoCs

pid	Process
4236	hooav.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /m"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /k"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /Y"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /K"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /y"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /q"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /L"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /P"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /c"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /M"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /X"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /H"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /Z"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /j"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /b"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /e"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /s"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /p"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /z"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /n"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /V"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /J"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /r"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /D"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /i"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /x"	hooav.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /R"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /u"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /l"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /d"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /a"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /h"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /T"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /N"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /B"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /v"	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /v"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /W"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /C"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /f"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /S"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /G"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /I"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /o"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /Q"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /w"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /t"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /A"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /g"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /U"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /F"	hooav.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hooav = "C:\\Users\\Admin\\hooav.exe /E"	hooav.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe
4236	hooav.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
4236	hooav.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4236	1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe	81
PID 1484 wrote to memory of 4236	1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe	81
PID 1484 wrote to memory of 4236	1484	9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe	81

C:\Users\Admin\AppData\Local\Temp\9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe
"C:\Users\Admin\AppData\Local\Temp\9a93c98b6eaeb139f9298366d409a730dfc9bb4355691f09c0504c049b31cde5.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\hooav.exe
  "C:\Users\Admin\hooav.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hooav.exe

Filesize
132KB

MD5
0680333d92cf608877c157b8d23588fe

SHA1
7e1fc0ff309b816d6a8078c0c7be4c6460278486

SHA256
87bd451d97e27aaabff303250b43af22340697e0185f0e99dda06f86b8058a1a

SHA512
84406200fcff30048d734b42f50fb571b9b8f77cda8dd8e3f96b8d922df2640a7611eec846b1d8019dce886860715ca37112efe66a92315375c16ddbe9a16a7d

Download Submit
C:\Users\Admin\hooav.exe

Filesize
132KB

MD5
0680333d92cf608877c157b8d23588fe

SHA1
7e1fc0ff309b816d6a8078c0c7be4c6460278486

SHA256
87bd451d97e27aaabff303250b43af22340697e0185f0e99dda06f86b8058a1a

SHA512
84406200fcff30048d734b42f50fb571b9b8f77cda8dd8e3f96b8d922df2640a7611eec846b1d8019dce886860715ca37112efe66a92315375c16ddbe9a16a7d

Download Submit