24381711d4be8eb84add235150e79594cde54d4bbce50aff0e0a176c90a03a88

Analysis

max time kernel
9s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-09-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUYRMHO.exe
Size

23KB
MD5

8d2d628d431ad6078501e410e7296161
SHA1

a54b8497bb6d9d2293f05065959dbf22a86fa222
SHA256

24381711d4be8eb84add235150e79594cde54d4bbce50aff0e0a176c90a03a88
SHA512

d3ecb4da2ab1f9f7a9e96bc00e1473356f96a7c6fa12c74b019cbda84e5c162fef9a25debeee852f72bf95a1f5d45e2c235169d812a92c4ba3728d8261c65ed3
SSDEEP

384:kc68yCaUVIhboNgfEimfkNzayS06vg5UhcpxH7ndmRvR6JZlbw8hqIusZzZW5:q873kgNfoaf6ARpcnu9

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1736	netsh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1736	1048	QUYRMHO.exe	27
PID 1048 wrote to memory of 1736	1048	QUYRMHO.exe	27
PID 1048 wrote to memory of 1736	1048	QUYRMHO.exe	27
PID 1048 wrote to memory of 1736	1048	QUYRMHO.exe	27

C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe
"C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe" "QUYRMHO.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-55-0x0000000074DA0000-0x000000007534B000-memory.dmp

Filesize
5.7MB

Download