Malware Analysis Report

2025-03-14 22:58

Sample ID 240406-3pfd3aed7t
Target 9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64
SHA256 9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64

Threat Level: Known bad

The file 9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:43

Platform

win7-20240221-en

Max time kernel

153s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\doout.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\doout.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /i" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /c" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /o" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /p" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /v" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /y" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /x" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /m" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /n" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /h" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /f" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /l" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /q" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /j" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /e" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /t" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /b" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /s" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /r" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /k" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /u" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /a" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /i" C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /z" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /d" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /w" C:\Users\Admin\doout.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\doout = "C:\\Users\\Admin\\doout.exe /g" C:\Users\Admin\doout.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
N/A N/A C:\Users\Admin\doout.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe

"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"

C:\Users\Admin\doout.exe

"C:\Users\Admin\doout.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.musiczipz.com udp
US 8.8.8.8:53 ns1.musicmixa.net udp
US 8.8.8.8:53 ns1.musicmixa.org udp
US 8.8.8.8:53 ns1.musicmixb.co udp
US 8.8.8.8:53 ns1.musicmixc.com udp

Files

\Users\Admin\doout.exe

MD5 8e0ad41b1ea1c83c3a22c6c632b051da
SHA1 edf1aa37a5899aca8ec18f96595e972648ed6e8d
SHA256 7f3dd3398aa80e06dbab1923ff3c5367fbab6f87f2fe1b76b9a2e6100e2bc4b2
SHA512 cca8c9a84ae2fa9212cc3a8781bad3920a8aea37722947677516f4ac507e8f83ac387350fb3e1392e28ea2374a85fc5730a260160a129504fddba1db7239a30c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:41

Reported

2024-04-06 23:43

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\koiha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\koiha.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /f" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /a" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /y" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /l" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /q" C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /c" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /d" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /r" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /k" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /z" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /n" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /g" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /v" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /o" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /t" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /m" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /h" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /i" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /s" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /x" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /w" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /u" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /q" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /j" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /e" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /p" C:\Users\Admin\koiha.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\koiha = "C:\\Users\\Admin\\koiha.exe /b" C:\Users\Admin\koiha.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe N/A
N/A N/A C:\Users\Admin\koiha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe

"C:\Users\Admin\AppData\Local\Temp\9af94a43aedb15650dadc1092ba67ecd24c19931f496af5954e9aa9d548f9d64.exe"

C:\Users\Admin\koiha.exe

"C:\Users\Admin\koiha.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2252,i,11231798169170618717,17890004712654885282,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 ns1.musiczipz.com udp
US 8.8.8.8:53 ns1.musicmixa.net udp
US 8.8.8.8:53 ns1.musicmixa.org udp
US 8.8.8.8:53 ns1.musicmixb.co udp
US 8.8.8.8:53 ns1.musicmixc.com udp
GB 13.87.96.169:443 tcp
IE 94.245.104.56:443 tcp
GB 172.165.69.228:443 tcp
IE 94.245.104.56:443 tcp
NL 172.217.23.202:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\koiha.exe

MD5 3b64716bc7076e740c75d256557578f1
SHA1 2bb12c60b3232f9eafcd4d67a7a290a2c84e807d
SHA256 a366071161b36f0248cc7466ede425197b3606ef86ba411dd65f2bd14f9884c7
SHA512 c439d1b4609fb92d4bc47bbd64aea5fa32bf01cbacf39ccf5e4550dfc1325e0980a7740d47631ea52c7347f948cb28337d3344374a879ab676715299b6513509