d940548c354277aaf332b8bf2a3a36e8064b4d8268658cf3f106c74c40046097

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 13:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b69da4ef76fdd75ac29737dcfb0c304.exe
Size

156KB
MD5

5b69da4ef76fdd75ac29737dcfb0c304
SHA1

a4f0fdd81682b708e31d60b9a7f5fc9bdeffd604
SHA256

d940548c354277aaf332b8bf2a3a36e8064b4d8268658cf3f106c74c40046097
SHA512

dc6918dcddd6cced963764001054c2a73fb9b2b9207bfe5e314a2501c8de8d00f32f8cc751a30cbc2519e52cd6253ccf5137aa1afae88ecc4ea556136d1235dd
SSDEEP

3072:PNMtJS4aZhJdxKPE+vgu36MN9vqKyHjm6I1JDVOc2W4oQZiE32L:sm7d0zvhqMN9vgjm6ILDVOAWli

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5b69da4ef76fdd75ac29737dcfb0c304.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	keehof.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	keehof.exe

Loads dropped DLL 2 IoCs

pid	Process
2348	5b69da4ef76fdd75ac29737dcfb0c304.exe
2348	5b69da4ef76fdd75ac29737dcfb0c304.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /N"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /b"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /k"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /j"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /Z"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /S"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /Y"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /L"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /u"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /V"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /l"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /s"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /W"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /O"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /R"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /J"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /B"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /c"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /A"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /r"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /F"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /p"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /O"	5b69da4ef76fdd75ac29737dcfb0c304.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /z"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /e"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /o"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /Q"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /M"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /q"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /x"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /H"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /g"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /a"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /I"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /K"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /t"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /f"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /y"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /i"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /E"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /P"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /n"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /X"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /C"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /d"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /h"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /U"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /D"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /G"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /v"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /m"	keehof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\keehof = "C:\\Users\\Admin\\keehof.exe /w"	keehof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	5b69da4ef76fdd75ac29737dcfb0c304.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe
2396	keehof.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2348	5b69da4ef76fdd75ac29737dcfb0c304.exe
2396	keehof.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2396	2348	5b69da4ef76fdd75ac29737dcfb0c304.exe	28
PID 2348 wrote to memory of 2396	2348	5b69da4ef76fdd75ac29737dcfb0c304.exe	28
PID 2348 wrote to memory of 2396	2348	5b69da4ef76fdd75ac29737dcfb0c304.exe	28
PID 2348 wrote to memory of 2396	2348	5b69da4ef76fdd75ac29737dcfb0c304.exe	28

C:\Users\Admin\AppData\Local\Temp\5b69da4ef76fdd75ac29737dcfb0c304.exe
"C:\Users\Admin\AppData\Local\Temp\5b69da4ef76fdd75ac29737dcfb0c304.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\keehof.exe
  "C:\Users\Admin\keehof.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2396

Network

DNS

ns1.player1532.com

5b69da4ef76fdd75ac29737dcfb0c304.exe

Remote address:

8.8.8.8:53

Request

ns1.player1532.com

IN A

Response

ns1.player1532.com

IN A

107.178.223.183

ns1.player1532.com

IN A

104.155.138.21

107.178.223.183:8000

ns1.player1532.com

5b69da4ef76fdd75ac29737dcfb0c304.exe

512 B
412 B
11
10

8.8.8.8:53

ns1.player1532.com

dns

5b69da4ef76fdd75ac29737dcfb0c304.exe

64 B
96 B
1
1

DNS Request

ns1.player1532.com

DNS Response

107.178.223.183

104.155.138.21

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\keehof.exe

Filesize
156KB

MD5
84478f194b29433e66bd60fad111df21

SHA1
a4b56fb914fc0e28d51ce167ddec6a11618d67f6

SHA256
b561dd247ebadc6cdd0c020ba396ffe947ac3afc8718bb3f4b51c88bdfb29484

SHA512
9e78b2b98fb3d27ce258ee378a2775e9951e0a66825746a612c73d460ccefe2f24decc9eaa9df2951ec68094a6837fea7588e1686a9c95aa92e12b9fe045cbd2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.