d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee

Analysis

max time kernel
188s
max time network
199s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe
Size

321KB
MD5

20baa49a89186ed3d004f2b52c401026
SHA1

9adce31e8a74b1ab09bfaada121c5b2ec190eedc
SHA256

d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee
SHA512

f5878733310f038efca7a57c562efc611e746c5beb8008d9220e74711bfa1c21b63bab605be3fd531de296dda07f8ae3bcbc42580eae299bda4b3f5094a59068
SSDEEP

6144:JT+FQond7qswMHScIOq1G/PuRnC2CkErfof7:UFhn/ycBqwuRC2gcf7

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	waotij.exe

Deletes itself 1 IoCs

pid	Process
1156	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe
1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	waotij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Qeahli\\waotij.exe"	waotij.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe
1936	waotij.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe
1936	waotij.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1936	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	28
PID 1720 wrote to memory of 1936	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	28
PID 1720 wrote to memory of 1936	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	28
PID 1720 wrote to memory of 1936	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	28
PID 1936 wrote to memory of 1116	1936	waotij.exe	13
PID 1936 wrote to memory of 1116	1936	waotij.exe	13
PID 1936 wrote to memory of 1116	1936	waotij.exe	13
PID 1936 wrote to memory of 1116	1936	waotij.exe	13
PID 1936 wrote to memory of 1116	1936	waotij.exe	13
PID 1936 wrote to memory of 1176	1936	waotij.exe	5
PID 1936 wrote to memory of 1176	1936	waotij.exe	5
PID 1936 wrote to memory of 1176	1936	waotij.exe	5
PID 1936 wrote to memory of 1176	1936	waotij.exe	5
PID 1936 wrote to memory of 1176	1936	waotij.exe	5
PID 1936 wrote to memory of 1216	1936	waotij.exe	12
PID 1936 wrote to memory of 1216	1936	waotij.exe	12
PID 1936 wrote to memory of 1216	1936	waotij.exe	12
PID 1936 wrote to memory of 1216	1936	waotij.exe	12
PID 1936 wrote to memory of 1216	1936	waotij.exe	12
PID 1936 wrote to memory of 1720	1936	waotij.exe	14
PID 1936 wrote to memory of 1720	1936	waotij.exe	14
PID 1936 wrote to memory of 1720	1936	waotij.exe	14
PID 1936 wrote to memory of 1720	1936	waotij.exe	14
PID 1936 wrote to memory of 1720	1936	waotij.exe	14
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29
PID 1720 wrote to memory of 1156	1720	d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe	29

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe
  "C:\Users\Admin\AppData\Local\Temp\d860d867e4de6762b3054fe6b741b614c44249a79020783e477e48061c3abfee.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Roaming\Qeahli\waotij.exe
    "C:\Users\Admin\AppData\Roaming\Qeahli\waotij.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc0b76cdb.bat"
    3⤵
    - Deletes itself
    PID:1156

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc0b76cdb.bat

Filesize
307B

MD5
cef8681cb18c9da65ce58aff1c2a27bd

SHA1
30eb0607d30a59c067030f10fe022440be1b3046

SHA256
f956e653559e7099bf2661184f9911c5a0b3d6f4c277dda4a5e4cbfe9032fbd1

SHA512
cfa7c6ad7f4bec1d9d253584bb50f1dccb1c57848df5565003d60e858a56701c41a29a0450a414a3b6ff67b0948973b2f1b6847b4e42865afd5e40027199cdee

Download Submit
C:\Users\Admin\AppData\Roaming\Qeahli\waotij.exe

Filesize
321KB

MD5
e3a16522fc9e6e28b6bb54a23f09005c

SHA1
cf56f527795f33e13ca018aeb16e985d3c600270

SHA256
2b55af31dba07abc6ebe651937701a7f73edd88cb8fbd0470eb823e063bc9207

SHA512
043d432a0c98ab2964a127855873981ad9e7a06d95b13ffb182168d28ae07a04ef1024fbcb2b9e660e88b5404ec1a02b85374dacd71ce21a5c5c4a7be0c7aea9

Download Submit
C:\Users\Admin\AppData\Roaming\Qeahli\waotij.exe

Filesize
321KB

MD5
e3a16522fc9e6e28b6bb54a23f09005c

SHA1
cf56f527795f33e13ca018aeb16e985d3c600270

SHA256
2b55af31dba07abc6ebe651937701a7f73edd88cb8fbd0470eb823e063bc9207

SHA512
043d432a0c98ab2964a127855873981ad9e7a06d95b13ffb182168d28ae07a04ef1024fbcb2b9e660e88b5404ec1a02b85374dacd71ce21a5c5c4a7be0c7aea9

Download Submit
\Users\Admin\AppData\Roaming\Qeahli\waotij.exe

Filesize
321KB

MD5
e3a16522fc9e6e28b6bb54a23f09005c

SHA1
cf56f527795f33e13ca018aeb16e985d3c600270

SHA256
2b55af31dba07abc6ebe651937701a7f73edd88cb8fbd0470eb823e063bc9207

SHA512
043d432a0c98ab2964a127855873981ad9e7a06d95b13ffb182168d28ae07a04ef1024fbcb2b9e660e88b5404ec1a02b85374dacd71ce21a5c5c4a7be0c7aea9

Download Submit
\Users\Admin\AppData\Roaming\Qeahli\waotij.exe

Filesize
321KB

MD5
e3a16522fc9e6e28b6bb54a23f09005c

SHA1
cf56f527795f33e13ca018aeb16e985d3c600270

SHA256
2b55af31dba07abc6ebe651937701a7f73edd88cb8fbd0470eb823e063bc9207

SHA512
043d432a0c98ab2964a127855873981ad9e7a06d95b13ffb182168d28ae07a04ef1024fbcb2b9e660e88b5404ec1a02b85374dacd71ce21a5c5c4a7be0c7aea9

Download Submit
memory/1116-65-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1116-70-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1116-69-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1116-68-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1116-67-0x0000000001CD0000-0x0000000001D14000-memory.dmp

Filesize
272KB

Download
memory/1156-95-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/1156-91-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/1156-107-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/1156-97-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/1156-93-0x0000000000160000-0x00000000001A4000-memory.dmp

Filesize
272KB

Download
memory/1176-76-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1176-74-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1176-75-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1216-79-0x0000000002240000-0x0000000002284000-memory.dmp

Filesize
272KB

Download
memory/1216-80-0x0000000002240000-0x0000000002284000-memory.dmp

Filesize
272KB

Download
memory/1216-81-0x0000000002240000-0x0000000002284000-memory.dmp

Filesize
272KB

Download
memory/1216-82-0x0000000002240000-0x0000000002284000-memory.dmp

Filesize
272KB

Download
memory/1720-100-0x00000000005C0000-0x0000000000616000-memory.dmp

Filesize
344KB

Download
memory/1720-85-0x00000000005C0000-0x0000000000604000-memory.dmp

Filesize
272KB

Download
memory/1720-88-0x00000000005C0000-0x0000000000604000-memory.dmp

Filesize
272KB

Download
memory/1720-86-0x00000000005C0000-0x0000000000604000-memory.dmp

Filesize
272KB

Download
memory/1720-94-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1720-87-0x00000000005C0000-0x0000000000604000-memory.dmp

Filesize
272KB

Download
memory/1720-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1720-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-56-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/1720-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-55-0x0000000000290000-0x00000000002D4000-memory.dmp

Filesize
272KB

Download
memory/1720-104-0x00000000005C0000-0x0000000000604000-memory.dmp

Filesize
272KB

Download
memory/1720-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-102-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/1936-96-0x0000000001BF0000-0x0000000001C34000-memory.dmp

Filesize
272KB

Download
memory/1936-99-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1936-98-0x0000000001C40000-0x0000000001C96000-memory.dmp

Filesize
344KB

Download