6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c

General

Target

6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe
Size

161KB
MD5

6f50f1236acfdc3cfeb615106ea694b0
SHA1

7bef983e04bb20cba5e2c420e6ade50887c961f8
SHA256

6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c
SHA512

3b3f68600c95e2de53dbe3bf1f95134ce5f574262776c4061fb83376f35c66714791f7d430ef44a895e5a5ecd93f56b35853180aee19d1a6e6603ee0258e2948
SSDEEP

3072:O1UqeDPE4DbBYTN6jZ4fReG6NkHqQTtwRc6GCCT/oQXbTlOf/mdQgUfY:OuqeDPE+BYGkV6NkHq4wpGsYbTi/8Qgl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
968	ibwi.exe

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe
1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ibwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6FA8CF24-3CD6-CA69-EAD1-610161553951} = "C:\\Users\\Admin\\AppData\\Roaming\\Quokif\\ibwi.exe"	ibwi.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe
968	ibwi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
968	ibwi.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 968	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	27
PID 1732 wrote to memory of 968	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	27
PID 1732 wrote to memory of 968	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	27
PID 1732 wrote to memory of 968	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	27
PID 1732 wrote to memory of 2028	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	28
PID 1732 wrote to memory of 2028	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	28
PID 1732 wrote to memory of 2028	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	28
PID 1732 wrote to memory of 2028	1732	6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe	28

C:\Users\Admin\AppData\Local\Temp\6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe
"C:\Users\Admin\AppData\Local\Temp\6d76716b8a44e8aaa86b920c32799a585bfd4e5fd0b6105199794adc42e6da8c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Roaming\Quokif\ibwi.exe
  "C:\Users\Admin\AppData\Roaming\Quokif\ibwi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  PID:968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp56692813.bat"
  2⤵
  - Deletes itself
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp56692813.bat

Filesize
307B

MD5
78276f02fcc5f866a11b1b799a245cf1

SHA1
474afc9767e3b46076e5962d11491f299f94da0e

SHA256
8b6c177a24a483a9b3596ee2d41b0306c03c09e3040264cec5a1712522426d3b

SHA512
e229ca7a9d2de2739aef77d8cca2a2696414f31da979877a7253c47a2efde8d324c729447c615ba7a580b077d76f4bb2bc3116fcb62fc1c585900e44000fafa6

Download Submit
C:\Users\Admin\AppData\Roaming\Quokif\ibwi.exe

Filesize
161KB

MD5
38ca09053ed32eab6fd24535dff69228

SHA1
aff19effde081095a16d80948d4532a3a1adc922

SHA256
17b0239e0c3f1b633e9e0457a163f6fca629e1627470f04f630ef903f69c3025

SHA512
d6d7bb6e92abba3eda355180dfb09302f0fda4c4ce1d24aa2ef78614e6a119a3742cf840449815ce3d6894ddc5143ca46410f41cad77b936a1eaa60c32a2d7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Quokif\ibwi.exe

Filesize
161KB

MD5
38ca09053ed32eab6fd24535dff69228

SHA1
aff19effde081095a16d80948d4532a3a1adc922

SHA256
17b0239e0c3f1b633e9e0457a163f6fca629e1627470f04f630ef903f69c3025

SHA512
d6d7bb6e92abba3eda355180dfb09302f0fda4c4ce1d24aa2ef78614e6a119a3742cf840449815ce3d6894ddc5143ca46410f41cad77b936a1eaa60c32a2d7e1

Download Submit
\Users\Admin\AppData\Roaming\Quokif\ibwi.exe

Filesize
161KB

MD5
38ca09053ed32eab6fd24535dff69228

SHA1
aff19effde081095a16d80948d4532a3a1adc922

SHA256
17b0239e0c3f1b633e9e0457a163f6fca629e1627470f04f630ef903f69c3025

SHA512
d6d7bb6e92abba3eda355180dfb09302f0fda4c4ce1d24aa2ef78614e6a119a3742cf840449815ce3d6894ddc5143ca46410f41cad77b936a1eaa60c32a2d7e1

Download Submit
\Users\Admin\AppData\Roaming\Quokif\ibwi.exe

Filesize
161KB

MD5
38ca09053ed32eab6fd24535dff69228

SHA1
aff19effde081095a16d80948d4532a3a1adc922

SHA256
17b0239e0c3f1b633e9e0457a163f6fca629e1627470f04f630ef903f69c3025

SHA512
d6d7bb6e92abba3eda355180dfb09302f0fda4c4ce1d24aa2ef78614e6a119a3742cf840449815ce3d6894ddc5143ca46410f41cad77b936a1eaa60c32a2d7e1

Download Submit
memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing