a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e

Analysis

max time kernel
151s
max time network
98s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
Size

172KB
MD5

339a4e80789b07aa07f394bfed6fb882
SHA1

766ae99d413e333f808f18ba92786e235baaf5b8
SHA256

a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e
SHA512

e1f4a4210c51452322347ba8874848cdc6eeca48c5dac6b35c17e4a058ce1dc9ba36c81f2dc7fc024e3def19bf753dbd460969c917dd3aff53cf7ae3c2d72c22
SSDEEP

3072:mdHhSR9lbep9Chu7Gbwhd5eEQMSZdSkxiAPbmW8mjCwH:mEepqu7CwteASZdBxPbPJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	coihox.exe

Executes dropped EXE 1 IoCs

pid	Process
1900	coihox.exe

Loads dropped DLL 2 IoCs

pid	Process
368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /Q"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /v"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /J"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /u"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /C"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /B"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /O"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /A"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /N"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /j"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /h"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /Z"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /e"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /D"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /V"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /S"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /T"	coihox.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /c"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /q"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /H"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /a"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /d"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /F"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /n"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /X"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /m"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /r"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /E"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /w"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /s"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /t"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /Y"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /g"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /b"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /k"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /o"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /y"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /x"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /i"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /U"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /R"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /P"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /p"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /K"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /D"	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /l"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /z"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /L"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /M"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /G"	coihox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\coihox = "C:\\Users\\Admin\\coihox.exe /f"	coihox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe
1900	coihox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
1900	coihox.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1900	368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe	27
PID 368 wrote to memory of 1900	368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe	27
PID 368 wrote to memory of 1900	368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe	27
PID 368 wrote to memory of 1900	368	a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe	27

C:\Users\Admin\AppData\Local\Temp\a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe
"C:\Users\Admin\AppData\Local\Temp\a79bbc55511434b0184170b0b7d3ae585af7306412b9ebca8be6801cc143c43e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\coihox.exe
  "C:\Users\Admin\coihox.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\coihox.exe

Filesize
172KB

MD5
82798a0d5916eecae616d18dba77efb0

SHA1
b907484187d68318984ee5bdf17b7b3980c27e5e

SHA256
418e8c455d18cb9d0eea50b4f1eb433e6fd94fa16f9eb85d17467e7fb296bb36

SHA512
1647cf7dce2fcb711d50b27cae68c34e7e2241ef9f8363fa4bac2b850cabc58926e3344626dc71afd734a44dc3784e4bf2b1ff78c97203508b8b8745c2d1d44c

Download Submit
C:\Users\Admin\coihox.exe

Filesize
172KB

MD5
82798a0d5916eecae616d18dba77efb0

SHA1
b907484187d68318984ee5bdf17b7b3980c27e5e

SHA256
418e8c455d18cb9d0eea50b4f1eb433e6fd94fa16f9eb85d17467e7fb296bb36

SHA512
1647cf7dce2fcb711d50b27cae68c34e7e2241ef9f8363fa4bac2b850cabc58926e3344626dc71afd734a44dc3784e4bf2b1ff78c97203508b8b8745c2d1d44c

Download Submit
\Users\Admin\coihox.exe

Filesize
172KB

MD5
82798a0d5916eecae616d18dba77efb0

SHA1
b907484187d68318984ee5bdf17b7b3980c27e5e

SHA256
418e8c455d18cb9d0eea50b4f1eb433e6fd94fa16f9eb85d17467e7fb296bb36

SHA512
1647cf7dce2fcb711d50b27cae68c34e7e2241ef9f8363fa4bac2b850cabc58926e3344626dc71afd734a44dc3784e4bf2b1ff78c97203508b8b8745c2d1d44c

Download Submit
\Users\Admin\coihox.exe

Filesize
172KB

MD5
82798a0d5916eecae616d18dba77efb0

SHA1
b907484187d68318984ee5bdf17b7b3980c27e5e

SHA256
418e8c455d18cb9d0eea50b4f1eb433e6fd94fa16f9eb85d17467e7fb296bb36

SHA512
1647cf7dce2fcb711d50b27cae68c34e7e2241ef9f8363fa4bac2b850cabc58926e3344626dc71afd734a44dc3784e4bf2b1ff78c97203508b8b8745c2d1d44c

Download Submit
memory/368-56-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download