Analysis
-
max time kernel
91s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-es -
resource tags
arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
09-02-2023 22:41
Static task
static1
Behavioral task
behavioral1
Sample
Hoic.rar
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral2
Sample
Hoic.rar
Resource
win10v2004-20220812-es
windows10-2004-x64
Behavioral task
behavioral3
Sample
Hoic/hoic2.1.exe
Resource
win7-20220812-es
windows7-x64
Behavioral task
behavioral4
Sample
Hoic/hoic2.1.exe
Resource
win10v2004-20220812-es
windows10-2004-x64
General
-
Target
Hoic.rar
-
Size
1.7MB
-
MD5
ba60fe26a85d5f5b6338d562930aeff2
-
SHA1
499b6643dd5a7f1dd4d57506041c1207e657bce0
-
SHA256
59e0d15fcdf92551a204c7e71776a88f54ea9df74e2ba2cfb04e7582c04dec81
-
SHA512
2fcc74e1c44ae2a9829d53eb6f7946965ad6f8d88b2ebaf8df223c881b99066c155cc94a3c566cfe08ebfe1eded6615df410ee30dc0c9877aba1c9daa44217ec
-
SSDEEP
49152:YQs04R8oXUEgIRnwN/INLZw8NoibprkwSIdwHQa:zSRYfNANLZw8NLbZudh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3472 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe 3472 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Hoic.rar1⤵
- Modifies registry class
PID:2652
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3472