ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8

Analysis

max time kernel
151s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe
Size

300KB
MD5

610f242780e2abcdb0f3be08973f34f0
SHA1

c20cdba827d6e26328de0188751adc6f9b7d31dc
SHA256

ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8
SHA512

abc70993c7f318db5a7a22980d4b37d1656cfce4d62741dd58789e4c24a0e6e0370716d4cff079e467af43ee1ac75ed55f24bc11965cde732af85bd8f9015931
SSDEEP

6144:8PWnh7+AZ/KuGmU0xROflRxVUrbEABa49BZzorBO:3hyAMui68jVYbEAs49Dzork

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	wakiu.exe

Deletes itself 1 IoCs

pid	Process
1156	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe
1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	wakiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Jequ\\wakiu.exe"	wakiu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe
1708	wakiu.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1708	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	28
PID 1012 wrote to memory of 1708	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	28
PID 1012 wrote to memory of 1708	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	28
PID 1012 wrote to memory of 1708	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	28
PID 1708 wrote to memory of 1132	1708	wakiu.exe	18
PID 1708 wrote to memory of 1132	1708	wakiu.exe	18
PID 1708 wrote to memory of 1132	1708	wakiu.exe	18
PID 1708 wrote to memory of 1132	1708	wakiu.exe	18
PID 1708 wrote to memory of 1132	1708	wakiu.exe	18
PID 1708 wrote to memory of 1200	1708	wakiu.exe	17
PID 1708 wrote to memory of 1200	1708	wakiu.exe	17
PID 1708 wrote to memory of 1200	1708	wakiu.exe	17
PID 1708 wrote to memory of 1200	1708	wakiu.exe	17
PID 1708 wrote to memory of 1200	1708	wakiu.exe	17
PID 1708 wrote to memory of 1256	1708	wakiu.exe	16
PID 1708 wrote to memory of 1256	1708	wakiu.exe	16
PID 1708 wrote to memory of 1256	1708	wakiu.exe	16
PID 1708 wrote to memory of 1256	1708	wakiu.exe	16
PID 1708 wrote to memory of 1256	1708	wakiu.exe	16
PID 1708 wrote to memory of 1012	1708	wakiu.exe	14
PID 1708 wrote to memory of 1012	1708	wakiu.exe	14
PID 1708 wrote to memory of 1012	1708	wakiu.exe	14
PID 1708 wrote to memory of 1012	1708	wakiu.exe	14
PID 1708 wrote to memory of 1012	1708	wakiu.exe	14
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1012 wrote to memory of 1156	1012	ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe	29
PID 1708 wrote to memory of 688	1708	wakiu.exe	30
PID 1708 wrote to memory of 688	1708	wakiu.exe	30
PID 1708 wrote to memory of 688	1708	wakiu.exe	30
PID 1708 wrote to memory of 688	1708	wakiu.exe	30
PID 1708 wrote to memory of 688	1708	wakiu.exe	30

C:\Users\Admin\AppData\Local\Temp\ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe
"C:\Users\Admin\AppData\Local\Temp\ad6c95565255a3a097cc12c558c9397fa38b97d6a37cc80256daea04023292b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Roaming\Jequ\wakiu.exe
  "C:\Users\Admin\AppData\Roaming\Jequ\wakiu.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpaa285de8.bat"
  2⤵
  - Deletes itself
  PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1770888054612873202-901907602939310166-2047457743390157209372018021-615967886"
1⤵
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpaa285de8.bat

Filesize
307B

MD5
6d271364b11e7ceac24cb9f0f148cd9d

SHA1
72151aa76bc118747efc1273554e78cfc22b83f0

SHA256
acd046b46ddf79372fc26f6a099258e9d549ed72a286c7f664452d9cb12ae23b

SHA512
9f4f6fa25dba54467868d4df9b3a730fe303ca002f8761797fe4ab6f50a3d3b396e846cdca9201601d6745246697caa78d025509499f6561e7db0c4f2abe9ba8

Download Submit
C:\Users\Admin\AppData\Roaming\Jequ\wakiu.exe

Filesize
300KB

MD5
9df8142467ffebf0e49c2c586a3ab593

SHA1
b3f40bd4f522ba9c824aea26aad75f49a1086e58

SHA256
ff4c844f9022dc1ee56fc1f49cea6135571c39f66a98480a5fed9ee37f59a57f

SHA512
4386362da73d65b773ab67846972cbf1eee6593a81e0a20f22ce8b5a91de7e01f553906e622b23de071bb11323c014c73204ac4ecc1ee32165dca5c7ee7e124d

Download Submit
C:\Users\Admin\AppData\Roaming\Jequ\wakiu.exe

Filesize
300KB

MD5
9df8142467ffebf0e49c2c586a3ab593

SHA1
b3f40bd4f522ba9c824aea26aad75f49a1086e58

SHA256
ff4c844f9022dc1ee56fc1f49cea6135571c39f66a98480a5fed9ee37f59a57f

SHA512
4386362da73d65b773ab67846972cbf1eee6593a81e0a20f22ce8b5a91de7e01f553906e622b23de071bb11323c014c73204ac4ecc1ee32165dca5c7ee7e124d

Download Submit
\Users\Admin\AppData\Roaming\Jequ\wakiu.exe

Filesize
300KB

MD5
9df8142467ffebf0e49c2c586a3ab593

SHA1
b3f40bd4f522ba9c824aea26aad75f49a1086e58

SHA256
ff4c844f9022dc1ee56fc1f49cea6135571c39f66a98480a5fed9ee37f59a57f

SHA512
4386362da73d65b773ab67846972cbf1eee6593a81e0a20f22ce8b5a91de7e01f553906e622b23de071bb11323c014c73204ac4ecc1ee32165dca5c7ee7e124d

Download Submit
\Users\Admin\AppData\Roaming\Jequ\wakiu.exe

Filesize
300KB

MD5
9df8142467ffebf0e49c2c586a3ab593

SHA1
b3f40bd4f522ba9c824aea26aad75f49a1086e58

SHA256
ff4c844f9022dc1ee56fc1f49cea6135571c39f66a98480a5fed9ee37f59a57f

SHA512
4386362da73d65b773ab67846972cbf1eee6593a81e0a20f22ce8b5a91de7e01f553906e622b23de071bb11323c014c73204ac4ecc1ee32165dca5c7ee7e124d

Download Submit
memory/688-107-0x0000000001A50000-0x0000000001A98000-memory.dmp

Filesize
288KB

Download
memory/688-109-0x0000000001A50000-0x0000000001A98000-memory.dmp

Filesize
288KB

Download
memory/688-110-0x0000000001A50000-0x0000000001A98000-memory.dmp

Filesize
288KB

Download
memory/688-108-0x0000000001A50000-0x0000000001A98000-memory.dmp

Filesize
288KB

Download
memory/1012-86-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/1012-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-54-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1012-85-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/1012-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1012-111-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/1012-56-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1012-103-0x0000000002250000-0x00000000022A0000-memory.dmp

Filesize
320KB

Download
memory/1012-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1012-88-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/1012-87-0x0000000002250000-0x0000000002298000-memory.dmp

Filesize
288KB

Download
memory/1012-91-0x0000000002250000-0x00000000022A0000-memory.dmp

Filesize
320KB

Download
memory/1132-69-0x0000000001B50000-0x0000000001B98000-memory.dmp

Filesize
288KB

Download
memory/1132-68-0x0000000001B50000-0x0000000001B98000-memory.dmp

Filesize
288KB

Download
memory/1132-67-0x0000000001B50000-0x0000000001B98000-memory.dmp

Filesize
288KB

Download
memory/1132-65-0x0000000001B50000-0x0000000001B98000-memory.dmp

Filesize
288KB

Download
memory/1132-70-0x0000000001B50000-0x0000000001B98000-memory.dmp

Filesize
288KB

Download
memory/1156-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1156-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1156-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1156-98-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1156-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-121-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1156-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1156-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1200-74-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1200-73-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1200-75-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1200-76-0x00000000002B0000-0x00000000002F8000-memory.dmp

Filesize
288KB

Download
memory/1256-79-0x00000000029B0000-0x00000000029F8000-memory.dmp

Filesize
288KB

Download
memory/1256-81-0x00000000029B0000-0x00000000029F8000-memory.dmp

Filesize
288KB

Download
memory/1256-80-0x00000000029B0000-0x00000000029F8000-memory.dmp

Filesize
288KB

Download
memory/1256-82-0x00000000029B0000-0x00000000029F8000-memory.dmp

Filesize
288KB

Download