a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd

Analysis

max time kernel
164s
max time network
77s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 22:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
Size

88KB
MD5

5d66df5aad51b1f2ec533983f9915852
SHA1

46b2a4fffa7f3c3a3c008c6e487c742ea3184031
SHA256

a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd
SHA512

f7aa23af00ecb87ac9fd41d743eb0af2daa8ccd8e05e1933cefd349ddeda4945f9bff35145eef96915b47b09f99f2c5d445564d9a2b68c9d77a1a029947ec4d4
SSDEEP

768:7Lk9rFEGNu34C/lfQzxKztTp8KS5k+qIYvCdUwY7EqVN14+QCnq/K/7ZP:7LksGGloAztd8HtPY7DN14Oqi/7ZP

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	saoix.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	saoix.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /s"	saoix.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /h"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /y"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /m"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /w"	saoix.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /q"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /e"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /u"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /i"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /x"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /f"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /n"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /a"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /j"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /d"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /r"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /p"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /v"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /l"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /t"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /k"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /g"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /z"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /o"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /l"	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /c"	saoix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\saoix = "C:\\Users\\Admin\\saoix.exe /b"	saoix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe
1700	saoix.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
1700	saoix.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1700	1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe	28
PID 1888 wrote to memory of 1700	1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe	28
PID 1888 wrote to memory of 1700	1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe	28
PID 1888 wrote to memory of 1700	1888	a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe	28

C:\Users\Admin\AppData\Local\Temp\a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe
"C:\Users\Admin\AppData\Local\Temp\a591d2628783ceb7fcf2333870324e464451a838ae2878a4667357718a110abd.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\saoix.exe
  "C:\Users\Admin\saoix.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\saoix.exe

Filesize
88KB

MD5
974205e4e4fe23cbdede8c7f59743923

SHA1
070410f8155fd556b62db857304d8c1f4072b891

SHA256
0b94bac258cde07d16abc86289a2cd26d6f70f1207152b5f1d3d78401da7cb2d

SHA512
ba5de59a0c20c62e419cc1cbb51a4282685fa895da832bf6185e2e69f84a484e0d91e1a046995f23ef3fe9c2a62eb89ea9e366152632da2a392abcde51182675

Download Submit
C:\Users\Admin\saoix.exe

Filesize
88KB

MD5
974205e4e4fe23cbdede8c7f59743923

SHA1
070410f8155fd556b62db857304d8c1f4072b891

SHA256
0b94bac258cde07d16abc86289a2cd26d6f70f1207152b5f1d3d78401da7cb2d

SHA512
ba5de59a0c20c62e419cc1cbb51a4282685fa895da832bf6185e2e69f84a484e0d91e1a046995f23ef3fe9c2a62eb89ea9e366152632da2a392abcde51182675

Download Submit
\Users\Admin\saoix.exe

Filesize
88KB

MD5
974205e4e4fe23cbdede8c7f59743923

SHA1
070410f8155fd556b62db857304d8c1f4072b891

SHA256
0b94bac258cde07d16abc86289a2cd26d6f70f1207152b5f1d3d78401da7cb2d

SHA512
ba5de59a0c20c62e419cc1cbb51a4282685fa895da832bf6185e2e69f84a484e0d91e1a046995f23ef3fe9c2a62eb89ea9e366152632da2a392abcde51182675

Download Submit
\Users\Admin\saoix.exe

Filesize
88KB

MD5
974205e4e4fe23cbdede8c7f59743923

SHA1
070410f8155fd556b62db857304d8c1f4072b891

SHA256
0b94bac258cde07d16abc86289a2cd26d6f70f1207152b5f1d3d78401da7cb2d

SHA512
ba5de59a0c20c62e419cc1cbb51a4282685fa895da832bf6185e2e69f84a484e0d91e1a046995f23ef3fe9c2a62eb89ea9e366152632da2a392abcde51182675

Download Submit
memory/1888-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download