59e0d15fcdf92551a204c7e71776a88f54ea9df74e2ba2cfb04e7582c04dec81

Resubmissions

31-07-2024 04:57

240731-flg26axflr 3

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hoic/DutchFreedom.hoic
Size

6KB
MD5

8545406e9887fff9b7d23bd8d1ba827a
SHA1

e6466fb5db89ef1c4a56397559fed06f3391f5bf
SHA256

21982480e0c5ed17ecdab367916d96869391a8b1bcfc8d3ca2b29c7b651d35c6
SHA512

66eb3e354d7209fded5ae07ba17f2e64349369189e936c8ded941705e73592c91bc5dc3dc631cf6b8d155c5e9d540e0b107e30ea126d5627abe806c749fd1278
SSDEEP

48:tmoNnhrpZijIZ+jtC/HVYfvBJvBzrvSpv7i0sYRv5YLiY2diVSNIgguhYb2BCcCC:tmoNlfZ+jnPNCmi5RVTCt+vML2XBRp

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.hoic\ = "hoic_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.hoic	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\hoic_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2692	AcroRd32.exe
2692	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1056	1172	cmd.exe	32
PID 1172 wrote to memory of 1056	1172	cmd.exe	32
PID 1172 wrote to memory of 1056	1172	cmd.exe	32
PID 1056 wrote to memory of 2692	1056	rundll32.exe	33
PID 1056 wrote to memory of 2692	1056	rundll32.exe	33
PID 1056 wrote to memory of 2692	1056	rundll32.exe	33
PID 1056 wrote to memory of 2692	1056	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Hoic\DutchFreedom.hoic
1⤵
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Hoic\DutchFreedom.hoic
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Hoic\DutchFreedom.hoic"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
40f3a354c0d6d195209cacf277a0e942

SHA1
701d70a99d05b26ce833a1fa47e294e29936c45a

SHA256
47dad61a2905ecc922f9d97eda59fa6935befa6852a93e2c83a5b13b7ef1e02e

SHA512
4400120ab7703b2395764d8988bf9aadb3d73bf8112eb43e3f0bb232122018695b8c24ab791b7d3f14744762900d38f33f16cc7f77195dc54f5774cc68c59a0f

Download Submit