9842285a693ace52b68524bf03b31df13483e969085db88e79b5eceaa9b69fbe

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559ffeb585d72a19a71befab8fd72ad3.exe
Size

160KB
MD5

559ffeb585d72a19a71befab8fd72ad3
SHA1

6eab325d0f34a7f8b7b4dcc37546cf193e0d6713
SHA256

9842285a693ace52b68524bf03b31df13483e969085db88e79b5eceaa9b69fbe
SHA512

b6546d160ccf430d64ed983474805b683afed23fd304e192796537c9a0acd50e97ef1e9a213de87e7ed6e309827073992085fe8de703ad46770d5ded9cea8c49
SSDEEP

3072:SGCbZSukOY8hrJFVNM/N/5sfqDfwqfEei:lork6hrJ3NON/5sGoei

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	559ffeb585d72a19a71befab8fd72ad3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nehoh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	559ffeb585d72a19a71befab8fd72ad3.exe

Executes dropped EXE 1 IoCs

pid	Process
4744	nehoh.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /Z"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /Q"	559ffeb585d72a19a71befab8fd72ad3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /a"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /c"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /O"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /C"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /S"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /o"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /m"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /g"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /Y"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /B"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /w"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /q"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /D"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /F"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /U"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /N"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /J"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /x"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /E"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /t"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /n"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /I"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /K"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /L"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /p"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /z"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /G"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /W"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /A"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /V"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /h"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /b"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /M"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /l"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /k"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /r"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /y"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /f"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /Q"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /v"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /s"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /T"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /P"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /u"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /e"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /j"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /i"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /d"	nehoh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nehoh = "C:\\Users\\Admin\\nehoh.exe /X"	nehoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	559ffeb585d72a19a71befab8fd72ad3.exe
2680	559ffeb585d72a19a71befab8fd72ad3.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe
4744	nehoh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	559ffeb585d72a19a71befab8fd72ad3.exe
4744	nehoh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4744	2680	559ffeb585d72a19a71befab8fd72ad3.exe	91
PID 2680 wrote to memory of 4744	2680	559ffeb585d72a19a71befab8fd72ad3.exe	91
PID 2680 wrote to memory of 4744	2680	559ffeb585d72a19a71befab8fd72ad3.exe	91

C:\Users\Admin\AppData\Local\Temp\559ffeb585d72a19a71befab8fd72ad3.exe
"C:\Users\Admin\AppData\Local\Temp\559ffeb585d72a19a71befab8fd72ad3.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\nehoh.exe
  "C:\Users\Admin\nehoh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\nehoh.exe

Filesize
54KB

MD5
879e1cc692218b4837a59c2791b95a84

SHA1
7f349641c0b28705de980ffcfda91fdf37bc1949

SHA256
50b933d60ac15b038d5cd75cff08f51e0f8147a35d044b394d9331a65e6bdd59

SHA512
5a243592db06f553614fe405e0aee4fe34fe2e1016f38535fd2371a0b020566b41971ad41e0076d0a5500717b585e73764deee6c49facb6286927e8ee6b0b323

Download Submit
C:\Users\Admin\nehoh.exe

Filesize
12KB

MD5
c78766b1a234433cf694dc1bbf362bdf

SHA1
f20cf9d8dc4eb3af3bb156c3473eb1eefcf7669a

SHA256
1c52cf615d4f426af9f1b65c1ab3b3f8394e94647e70c034aa5ff168ba7208a9

SHA512
d1d8905fdd58093a4e6cd1a96bda98b3d4971a619ebf4f3f7a6809345aa680455ffd3fd03cc6f5e31d85905afa9ea5f0f6a96ee41adbed9833f9e8cea71909e6

Download Submit
C:\Users\Admin\nehoh.exe

Filesize
32KB

MD5
35eb4c551dac21956a93bbfc98d9fdc1

SHA1
953cde49ffb19ab952a9926f84192a8edf79c488

SHA256
2d4adf7497307f4111e1623297fa7774345f83923150f6a0f53ddf285e2265a5

SHA512
290dfcaa073facdee6da68f5a55e6be1af4cb367a03ed17e460bfec59d1588ee1092bb2323f5c79bab65b806e9d109bab5c092d40c64e4df9bb26ff1d1cbd0ec

Download Submit
memory/2680-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4744-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download