06dfe87945cc3b82d784f473d10f6608e592c5eac5305634837eeae7b3dea192

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783d8d30e61b21ca2ef35394a7dff511.exe
Size

236KB
MD5

783d8d30e61b21ca2ef35394a7dff511
SHA1

166ff22ff0619b4c53c7e48e5f2dcb9a03babfdf
SHA256

06dfe87945cc3b82d784f473d10f6608e592c5eac5305634837eeae7b3dea192
SHA512

ee1a081305b3fef79a9d24922b13d54e72ecec5337c438f682a46642531d7e1a8d1ef4982233be3d1242c7baa1c1b4e4728907e513efc5fa2a7bda30f98bb2af
SSDEEP

3072:06VlhsJ0osvyMZeIT51B8u0gWCyiHCUPqga:GSouyMwItf8u0gWCyiHC

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	783d8d30e61b21ca2ef35394a7dff511.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	moimo.exe

Executes dropped EXE 1 IoCs

pid	Process
2616	moimo.exe

Loads dropped DLL 2 IoCs

pid	Process
2304	783d8d30e61b21ca2ef35394a7dff511.exe
2304	783d8d30e61b21ca2ef35394a7dff511.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /x"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /s"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /f"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /b"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /l"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /n"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /e"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /m"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /j"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /r"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /a"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /y"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /c"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /v"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /q"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /k"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /g"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /w"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /z"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /d"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /h"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /i"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /o"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /r"	783d8d30e61b21ca2ef35394a7dff511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /t"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /u"	moimo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\moimo = "C:\\Users\\Admin\\moimo.exe /p"	moimo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	783d8d30e61b21ca2ef35394a7dff511.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe
2616	moimo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	783d8d30e61b21ca2ef35394a7dff511.exe
2616	moimo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2616	2304	783d8d30e61b21ca2ef35394a7dff511.exe	28
PID 2304 wrote to memory of 2616	2304	783d8d30e61b21ca2ef35394a7dff511.exe	28
PID 2304 wrote to memory of 2616	2304	783d8d30e61b21ca2ef35394a7dff511.exe	28
PID 2304 wrote to memory of 2616	2304	783d8d30e61b21ca2ef35394a7dff511.exe	28

C:\Users\Admin\AppData\Local\Temp\783d8d30e61b21ca2ef35394a7dff511.exe
"C:\Users\Admin\AppData\Local\Temp\783d8d30e61b21ca2ef35394a7dff511.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\moimo.exe
  "C:\Users\Admin\moimo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\moimo.exe

Filesize
93KB

MD5
39ce9112cf25296f1fb849d4c05c9733

SHA1
b80bd817a2aa07c211c3f87dab11091a3ff850aa

SHA256
02ccc853df0133757ada62fbce5aa062d5b1c6314b30aa3568355a01cf7e8b7a

SHA512
57e536acfec047871624c189f4157ed823541d801e67cfab4dd4173222bd2025859fddb45edb0bbd75db7762dc8c66fec958f2f8e6ae486e946519f2be41c34a

Download Submit
\Users\Admin\moimo.exe

Filesize
236KB

MD5
c4ab16fbe428428c237918ba2457047e

SHA1
653a215069ae83ad28bd66c0a0e0952f391e3d8d

SHA256
acb25f9673697d222b47b1bdf71c88eeffbd1f70df133551c39d0f4289149746

SHA512
ed245f20091a3f53d9948ff00924a259b09c4aab6e68fa4de418067f8cc5834aaf72c3e4f98460be1266d99b23080666528822726f5bd38f552e1b59784b430a

Download Submit