e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20

Analysis

max time kernel
154s
max time network
79s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
Size

244KB
MD5

ccdf2354f3999805f9b6f07d544b2bcc
SHA1

212588057a74a1fe3fff988e6f7279f582f9c196
SHA256

e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20
SHA512

612c5893bacf2d6941a4ba07351d3b392f68cc8daab2a88f5e6668edd6a2b1310bf58ac5bfaf9857fe44ceb6dfaef8fa554c7ebe7b48f6a970ea66ef73348077
SSDEEP

3072:e7VlhN1mhpnvyMZeet/8LWCyiHCOXfPVG:aSvyMwNWCyiHCh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gnhib.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe

Executes dropped EXE 1 IoCs

pid	Process
1448	gnhib.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /u"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /d"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /x"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /n"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /t"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /m"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /l"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /c"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /s"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /v"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /e"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /y"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /a"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /r"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /k"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /o"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /f"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /q"	gnhib.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /g"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /j"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /e"	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /w"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /z"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /h"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /p"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /b"	gnhib.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\gnhib = "C:\\Users\\Admin\\gnhib.exe /i"	gnhib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe
1448	gnhib.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
1448	gnhib.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1448	2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe	28
PID 2028 wrote to memory of 1448	2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe	28
PID 2028 wrote to memory of 1448	2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe	28
PID 2028 wrote to memory of 1448	2028	e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe	28

C:\Users\Admin\AppData\Local\Temp\e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe
"C:\Users\Admin\AppData\Local\Temp\e016fa5d36397d6da6aafae08dfc84c8225bc691e0cf24ef5cf29a68f297ef20.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\gnhib.exe
  "C:\Users\Admin\gnhib.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\gnhib.exe

Filesize
244KB

MD5
ff6e9920b183df00040eff1fbace8697

SHA1
723f40fc44c7df914cde749f9ace7c36596257b3

SHA256
d38f41b93feb27a9c5869d36e5bf992dd03ed50faab955e1bd5bb51073e9ddef

SHA512
671ce4372fca9b5f8695c2d1d522c8479b7683987f4cd0ac9c6626d9cb405760dc5c3a9878e050591a92a9d64915d8a1036f0252c1e8959cd900e07069c959ba

Download Submit
C:\Users\Admin\gnhib.exe

Filesize
244KB

MD5
ff6e9920b183df00040eff1fbace8697

SHA1
723f40fc44c7df914cde749f9ace7c36596257b3

SHA256
d38f41b93feb27a9c5869d36e5bf992dd03ed50faab955e1bd5bb51073e9ddef

SHA512
671ce4372fca9b5f8695c2d1d522c8479b7683987f4cd0ac9c6626d9cb405760dc5c3a9878e050591a92a9d64915d8a1036f0252c1e8959cd900e07069c959ba

Download Submit
\Users\Admin\gnhib.exe

Filesize
244KB

MD5
ff6e9920b183df00040eff1fbace8697

SHA1
723f40fc44c7df914cde749f9ace7c36596257b3

SHA256
d38f41b93feb27a9c5869d36e5bf992dd03ed50faab955e1bd5bb51073e9ddef

SHA512
671ce4372fca9b5f8695c2d1d522c8479b7683987f4cd0ac9c6626d9cb405760dc5c3a9878e050591a92a9d64915d8a1036f0252c1e8959cd900e07069c959ba

Download Submit
\Users\Admin\gnhib.exe

Filesize
244KB

MD5
ff6e9920b183df00040eff1fbace8697

SHA1
723f40fc44c7df914cde749f9ace7c36596257b3

SHA256
d38f41b93feb27a9c5869d36e5bf992dd03ed50faab955e1bd5bb51073e9ddef

SHA512
671ce4372fca9b5f8695c2d1d522c8479b7683987f4cd0ac9c6626d9cb405760dc5c3a9878e050591a92a9d64915d8a1036f0252c1e8959cd900e07069c959ba

Download Submit
memory/2028-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download