a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27

Analysis

max time kernel
155s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe
Size

156KB
MD5

50b9619b10bfd211b07c4c14416d0821
SHA1

a5d63cc14648854847612fd5935949d606906748
SHA256

a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27
SHA512

55fe2495b7a36e66ed7558025a795b307c26a93590f0df7261fa9aaabf8c7353efba8924957f34dce3fbf3f237d8c35ddff9f7a06828d9bf744997d573eb9f17
SSDEEP

3072:qiFKQjNziEAphCjG8G3GbGVGBGfGuGxGWYcrf6KadE:qiMQJiEeAYcD6Kad

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	moibu.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	moibu.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe
1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\moibu = "C:\\Users\\Admin\\moibu.exe"	moibu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	moibu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe
1684	moibu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe
1684	moibu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1684	1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe	26
PID 1976 wrote to memory of 1684	1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe	26
PID 1976 wrote to memory of 1684	1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe	26
PID 1976 wrote to memory of 1684	1976	a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe	26
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25
PID 1684 wrote to memory of 1976	1684	moibu.exe	25

C:\Users\Admin\AppData\Local\Temp\a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe
"C:\Users\Admin\AppData\Local\Temp\a9234dff8a64328461cb1f63d0402dc8b31c9f6e3cbbf51a1e677060e8403f27.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\moibu.exe
  "C:\Users\Admin\moibu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\moibu.exe

Filesize
156KB

MD5
19f7004c092c220b28ef4f2311dea9a2

SHA1
a9e32816a8664b788ab11ba588b1d244f5fc6965

SHA256
0e405daaf46c015f81daf9797eb4aed3ea0c9642cbcc8650410d0c7376eaa6d8

SHA512
de310f123d568d6f65e9485e438102baf3757acbab38db24bb779a0f6b512a477c78b0ddd5b7b1f6b3111b70a50a956712a05d9d59fe4cb4c7318df2325a43c8

Download Submit
C:\Users\Admin\moibu.exe

Filesize
156KB

MD5
19f7004c092c220b28ef4f2311dea9a2

SHA1
a9e32816a8664b788ab11ba588b1d244f5fc6965

SHA256
0e405daaf46c015f81daf9797eb4aed3ea0c9642cbcc8650410d0c7376eaa6d8

SHA512
de310f123d568d6f65e9485e438102baf3757acbab38db24bb779a0f6b512a477c78b0ddd5b7b1f6b3111b70a50a956712a05d9d59fe4cb4c7318df2325a43c8

Download Submit
\Users\Admin\moibu.exe

Filesize
156KB

MD5
19f7004c092c220b28ef4f2311dea9a2

SHA1
a9e32816a8664b788ab11ba588b1d244f5fc6965

SHA256
0e405daaf46c015f81daf9797eb4aed3ea0c9642cbcc8650410d0c7376eaa6d8

SHA512
de310f123d568d6f65e9485e438102baf3757acbab38db24bb779a0f6b512a477c78b0ddd5b7b1f6b3111b70a50a956712a05d9d59fe4cb4c7318df2325a43c8

Download Submit
\Users\Admin\moibu.exe

Filesize
156KB

MD5
19f7004c092c220b28ef4f2311dea9a2

SHA1
a9e32816a8664b788ab11ba588b1d244f5fc6965

SHA256
0e405daaf46c015f81daf9797eb4aed3ea0c9642cbcc8650410d0c7376eaa6d8

SHA512
de310f123d568d6f65e9485e438102baf3757acbab38db24bb779a0f6b512a477c78b0ddd5b7b1f6b3111b70a50a956712a05d9d59fe4cb4c7318df2325a43c8

Download Submit
memory/1976-56-0x00000000754E1000-0x00000000754E3000-memory.dmp

Filesize
8KB

Download