24381711d4be8eb84add235150e79594cde54d4bbce50aff0e0a176c90a03a88

Analysis

max time kernel
15s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 13:36

Target

QUYRMHO.exe
Size

23KB
MD5

8d2d628d431ad6078501e410e7296161
SHA1

a54b8497bb6d9d2293f05065959dbf22a86fa222
SHA256

24381711d4be8eb84add235150e79594cde54d4bbce50aff0e0a176c90a03a88
SHA512

d3ecb4da2ab1f9f7a9e96bc00e1473356f96a7c6fa12c74b019cbda84e5c162fef9a25debeee852f72bf95a1f5d45e2c235169d812a92c4ba3728d8261c65ed3
SSDEEP

384:kc68yCaUVIhboNgfEimfkNzayS06vg5UhcpxH7ndmRvR6JZlbw8hqIusZzZW5:q873kgNfoaf6ARpcnu9

Score

8^/10

evasion

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1992 netsh.exe

pid	process
1992	netsh.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

QUYRMHO.exe

description	pid	process	target process
PID 1984 wrote to memory of 1992	1984	QUYRMHO.exe	netsh.exe
PID 1984 wrote to memory of 1992	1984	QUYRMHO.exe	netsh.exe
PID 1984 wrote to memory of 1992	1984	QUYRMHO.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe
"C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\QUYRMHO.exe" "QUYRMHO.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:1992

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1984-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1984-134-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/1992-133-0x0000000000000000-mapping.dmp

Download