29d05c57e510d92a9fe36829406ffdec1be9e40cb0d953744648496ce1881341

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08bd4705a3a800d596be1e5549461b45.exe
Size

100KB
MD5

08bd4705a3a800d596be1e5549461b45
SHA1

271efba5f0b1e886f2d85244adcf4b98fdbd212d
SHA256

29d05c57e510d92a9fe36829406ffdec1be9e40cb0d953744648496ce1881341
SHA512

622ef7e6893319c4b6a0b49aa93cdcdda80eeca26919965516cb8bf9566335fab3ee21c6ae9728626ada42b9795eae0291037fa1000fb769827498bee13d97ab
SSDEEP

1536:mmt0/82NTdwqLGZcYADZPU1+73BD88b0nysNIjnZq:Ww9gZPUQJsCnY

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	08bd4705a3a800d596be1e5549461b45.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hoahi.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	hoahi.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	08bd4705a3a800d596be1e5549461b45.exe
2468	08bd4705a3a800d596be1e5549461b45.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /C"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /z"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /x"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /j"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /F"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /d"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /Y"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /R"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /i"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /K"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /W"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /Z"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /k"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /T"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /p"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /N"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /Q"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /S"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /B"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /t"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /M"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /m"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /I"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /J"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /E"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /g"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /L"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /v"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /h"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /U"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /y"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /D"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /V"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /q"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /G"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /u"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /n"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /H"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /b"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /o"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /P"	08bd4705a3a800d596be1e5549461b45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /l"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /e"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /O"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /A"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /w"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /c"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /P"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /s"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /r"	hoahi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\hoahi = "C:\\Users\\Admin\\hoahi.exe /X"	hoahi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	08bd4705a3a800d596be1e5549461b45.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe
2136	hoahi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2468	08bd4705a3a800d596be1e5549461b45.exe
2136	hoahi.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2136	2468	08bd4705a3a800d596be1e5549461b45.exe	28
PID 2468 wrote to memory of 2136	2468	08bd4705a3a800d596be1e5549461b45.exe	28
PID 2468 wrote to memory of 2136	2468	08bd4705a3a800d596be1e5549461b45.exe	28
PID 2468 wrote to memory of 2136	2468	08bd4705a3a800d596be1e5549461b45.exe	28

C:\Users\Admin\AppData\Local\Temp\08bd4705a3a800d596be1e5549461b45.exe
"C:\Users\Admin\AppData\Local\Temp\08bd4705a3a800d596be1e5549461b45.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\hoahi.exe
  "C:\Users\Admin\hoahi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\hoahi.exe

Filesize
100KB

MD5
cd4a351e33eca4bb6dc64d7b26f54795

SHA1
f93aadff9fdb27019af1faf1352662ce2239911f

SHA256
e361a2c994a66d28a3936ad2b46aa7eedd5c431a4bd09c28f9041bfb5e157380

SHA512
1353eca54079a23480500aa4d9c5328b28fed1af261565c6b89835a5a50003d806e090a733089f7aab33e1fd051acca1f6d202e110b0ad4baac451654e11f954

Download Submit
\Users\Admin\hoahi.exe

Filesize
92KB

MD5
85acba89111700f7d171f782ba094e15

SHA1
1754bdadb21181a95908dba013c576eb7e2a660a

SHA256
cbe39de2fdff2c0e36b3693246c3e5cd86e383f06d7bd7a25adc4e768ded9eeb

SHA512
5ba55d48ef5aa521ae82b574f454ea0061f5e8b002e9e7b9d878d51436b2d8ca12270274c1c96f76bb096e8724ce2650fc36904125183492e786ee7fafdec9da

Download Submit