cab3aa574d05602045bff1c725de643ae6c35df02c5e77da135345df240d2530

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54671c82326c4691f3ec3d30a26aef9b.exe
Size

260KB
MD5

54671c82326c4691f3ec3d30a26aef9b
SHA1

224b8ed4166d62172930401f6ade9a4387f15a52
SHA256

cab3aa574d05602045bff1c725de643ae6c35df02c5e77da135345df240d2530
SHA512

ae88c67baaa6ee9cbb1114c94bc2ab81bd92315eba3b3bcc27d1cf318ea70ac1b63ee0f52c881a174d6522f07fd9421e2a84fbcdd87811c68b74d7a28ba4a799
SSDEEP

3072:gan7QCMpHpNpTKh/o6PP9m1yIM6Q+Qs+++2o+e60O:7xMpHpNln

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	boiodi.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	boiodi.exe

Loads dropped DLL 2 IoCs

pid	Process
2176	54671c82326c4691f3ec3d30a26aef9b.exe
2176	54671c82326c4691f3ec3d30a26aef9b.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /s"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /k"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /C"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /N"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /r"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /i"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /W"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /V"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /H"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /L"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /M"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /v"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /t"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /O"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /S"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /j"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /I"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /P"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /F"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /m"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /u"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /R"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /e"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /E"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /b"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /z"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /o"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /D"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /y"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /X"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /d"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /f"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /Z"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /l"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /J"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /q"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /T"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /G"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /c"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /B"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /Q"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /w"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /h"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /Y"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /g"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /a"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /K"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /x"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /n"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /A"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /U"	boiodi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boiodi = "C:\\Users\\Admin\\boiodi.exe /p"	boiodi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe
2352	boiodi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2176	54671c82326c4691f3ec3d30a26aef9b.exe
2352	boiodi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2352	2176	54671c82326c4691f3ec3d30a26aef9b.exe	28
PID 2176 wrote to memory of 2352	2176	54671c82326c4691f3ec3d30a26aef9b.exe	28
PID 2176 wrote to memory of 2352	2176	54671c82326c4691f3ec3d30a26aef9b.exe	28
PID 2176 wrote to memory of 2352	2176	54671c82326c4691f3ec3d30a26aef9b.exe	28
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14
PID 2352 wrote to memory of 2176	2352	boiodi.exe	14

C:\Users\Admin\AppData\Local\Temp\54671c82326c4691f3ec3d30a26aef9b.exe
"C:\Users\Admin\AppData\Local\Temp\54671c82326c4691f3ec3d30a26aef9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\boiodi.exe
  "C:\Users\Admin\boiodi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\boiodi.exe

Filesize
260KB

MD5
3389a1b4d4461574941bc0fad689a064

SHA1
f3be2368f325311fd31e85d90d28159d94960a08

SHA256
41806d9f0ecfac1c881bd2e652b1c055c089c9f72eba13c7262bf651f35b6c18

SHA512
a57287a174793170ea3db8dc157b8a6f69e90b3de37696e85092015b314859ae76f716349618b712687d59d2b20b9b3f98171b2e57e19b7d7a05f3e15273f362

Download Submit