59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe
Size

312KB
MD5

e67af8a14a560669ea86c214b9290b47
SHA1

bd7a2cbc6b14b930089303558d499a7efc9591b4
SHA256

59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b
SHA512

e61a373dd7c5b302cb7532fd5ba69f85757dca00bf2cacdeb474bea286a922bfd8b3bfbac373ce3ea99a8b73b86bbd1689fdda7e2a5d9893d7ad85986e8f8a5c
SSDEEP

6144:iyJuBlo8GCyd1dUhAE74jvaG66xegV+/mJC63WoP+tN1JB5PKl:iwdjaUq6QgV+OvZPG175yl

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1204	qequry.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe
1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\Currentversion\Run	qequry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\{91C05068-4FEF-AD4D-7F1F-8FEC7D0BACF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ehiby\\qequry.exe"	qequry.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe
1204	qequry.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe
1204	qequry.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1204	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	26
PID 1424 wrote to memory of 1204	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	26
PID 1424 wrote to memory of 1204	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	26
PID 1424 wrote to memory of 1204	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	26
PID 1204 wrote to memory of 1148	1204	qequry.exe	15
PID 1204 wrote to memory of 1148	1204	qequry.exe	15
PID 1204 wrote to memory of 1148	1204	qequry.exe	15
PID 1204 wrote to memory of 1148	1204	qequry.exe	15
PID 1204 wrote to memory of 1148	1204	qequry.exe	15
PID 1204 wrote to memory of 1224	1204	qequry.exe	14
PID 1204 wrote to memory of 1224	1204	qequry.exe	14
PID 1204 wrote to memory of 1224	1204	qequry.exe	14
PID 1204 wrote to memory of 1224	1204	qequry.exe	14
PID 1204 wrote to memory of 1224	1204	qequry.exe	14
PID 1204 wrote to memory of 1260	1204	qequry.exe	11
PID 1204 wrote to memory of 1260	1204	qequry.exe	11
PID 1204 wrote to memory of 1260	1204	qequry.exe	11
PID 1204 wrote to memory of 1260	1204	qequry.exe	11
PID 1204 wrote to memory of 1260	1204	qequry.exe	11
PID 1204 wrote to memory of 1424	1204	qequry.exe	18
PID 1204 wrote to memory of 1424	1204	qequry.exe	18
PID 1204 wrote to memory of 1424	1204	qequry.exe	18
PID 1204 wrote to memory of 1424	1204	qequry.exe	18
PID 1204 wrote to memory of 1424	1204	qequry.exe	18
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27
PID 1424 wrote to memory of 1608	1424	59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Users\Admin\AppData\Local\Temp\59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe
  "C:\Users\Admin\AppData\Local\Temp\59bcf6ee89b2ca74fbb5e5a02aa49303a3cef5d0ab0c589c291cb4f9693b0c1b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Roaming\Ehiby\qequry.exe
    "C:\Users\Admin\AppData\Roaming\Ehiby\qequry.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp26939393.bat"
    3⤵
    - Deletes itself
    PID:1608

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp26939393.bat

Filesize
307B

MD5
f688330dd3912e3b327445677d875380

SHA1
83fbd80bf5d58e07f133fe1a76d072ea5f5ce9eb

SHA256
a3b515848c95cd0b32d3bb4c58946f675e4d230263a97da292e141aa7e839d76

SHA512
f77ee07a622c3dd432de0dedcc454403cc5601bfa9e0ed3bc100381d435845af5e2bda9df94f8308546091645e0fc4235c43184e2d2ddb8e878a4042948595b3

Download Submit
C:\Users\Admin\AppData\Roaming\Ehiby\qequry.exe

Filesize
312KB

MD5
a8fdc1d801b24a9a17425acdfcb1db45

SHA1
41844286979893227047f21d1d26509494c35296

SHA256
93b72e1977f9290d802d1ff3e6c06c3cedd0a56d05ba15044a458ff38658b57d

SHA512
73b981854a2d007b3d24807276e800729417c6e4ca8ef7db3d3194abdf283536a893d6ceb2a2ecfa7e67befed08d2a1429d0567703e14b77a74820510b668e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Ehiby\qequry.exe

Filesize
312KB

MD5
a8fdc1d801b24a9a17425acdfcb1db45

SHA1
41844286979893227047f21d1d26509494c35296

SHA256
93b72e1977f9290d802d1ff3e6c06c3cedd0a56d05ba15044a458ff38658b57d

SHA512
73b981854a2d007b3d24807276e800729417c6e4ca8ef7db3d3194abdf283536a893d6ceb2a2ecfa7e67befed08d2a1429d0567703e14b77a74820510b668e4c

Download Submit
\Users\Admin\AppData\Roaming\Ehiby\qequry.exe

Filesize
312KB

MD5
a8fdc1d801b24a9a17425acdfcb1db45

SHA1
41844286979893227047f21d1d26509494c35296

SHA256
93b72e1977f9290d802d1ff3e6c06c3cedd0a56d05ba15044a458ff38658b57d

SHA512
73b981854a2d007b3d24807276e800729417c6e4ca8ef7db3d3194abdf283536a893d6ceb2a2ecfa7e67befed08d2a1429d0567703e14b77a74820510b668e4c

Download Submit
\Users\Admin\AppData\Roaming\Ehiby\qequry.exe

Filesize
312KB

MD5
a8fdc1d801b24a9a17425acdfcb1db45

SHA1
41844286979893227047f21d1d26509494c35296

SHA256
93b72e1977f9290d802d1ff3e6c06c3cedd0a56d05ba15044a458ff38658b57d

SHA512
73b981854a2d007b3d24807276e800729417c6e4ca8ef7db3d3194abdf283536a893d6ceb2a2ecfa7e67befed08d2a1429d0567703e14b77a74820510b668e4c

Download Submit
memory/1148-68-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1148-65-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1148-70-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1148-69-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1148-67-0x0000000001D20000-0x0000000001D64000-memory.dmp

Filesize
272KB

Download
memory/1204-98-0x0000000000380000-0x00000000003D3000-memory.dmp

Filesize
332KB

Download
memory/1204-108-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1204-97-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/1204-99-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1224-73-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1224-74-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1224-75-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1224-76-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/1260-80-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1260-79-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1260-81-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1260-82-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1424-95-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1424-87-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1424-88-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1424-55-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1424-86-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1424-56-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1424-102-0x00000000002D0000-0x0000000000323000-memory.dmp

Filesize
332KB

Download
memory/1424-104-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1424-85-0x0000000000560000-0x00000000005A4000-memory.dmp

Filesize
272KB

Download
memory/1424-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1424-100-0x0000000000560000-0x00000000005B3000-memory.dmp

Filesize
332KB

Download
memory/1424-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1608-94-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1608-96-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1608-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1608-107-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1608-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download