7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe
Size

301KB
MD5

61bb8b121f44b62f5a4e863ff6ceb0f0
SHA1

ef227419dc821485a22836576d4e0fae62d6490c
SHA256

7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164
SHA512

38bcf7e9f99221c49ac52351cab471b495eeb9f6e656b8a927e8c49de2636282e6dcadaab75bf49a354439a98a117d438d6a0f0073dcb05dd23ea1da31824103
SSDEEP

6144:g78nTpnyRPYZWG5U5X5WqoAY7O3Q9KL8W7p7bo:28nkQEG254qFgOgoLxp7bo

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	reqe.exe

Deletes itself 1 IoCs

pid	Process
1556	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe
1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	reqe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Emac\\reqe.exe"	reqe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1408 set thread context of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe
1148	reqe.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1148	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	27
PID 1408 wrote to memory of 1148	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	27
PID 1408 wrote to memory of 1148	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	27
PID 1408 wrote to memory of 1148	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	27
PID 1148 wrote to memory of 1200	1148	reqe.exe	17
PID 1148 wrote to memory of 1200	1148	reqe.exe	17
PID 1148 wrote to memory of 1200	1148	reqe.exe	17
PID 1148 wrote to memory of 1200	1148	reqe.exe	17
PID 1148 wrote to memory of 1200	1148	reqe.exe	17
PID 1148 wrote to memory of 1308	1148	reqe.exe	10
PID 1148 wrote to memory of 1308	1148	reqe.exe	10
PID 1148 wrote to memory of 1308	1148	reqe.exe	10
PID 1148 wrote to memory of 1308	1148	reqe.exe	10
PID 1148 wrote to memory of 1308	1148	reqe.exe	10
PID 1148 wrote to memory of 1348	1148	reqe.exe	16
PID 1148 wrote to memory of 1348	1148	reqe.exe	16
PID 1148 wrote to memory of 1348	1148	reqe.exe	16
PID 1148 wrote to memory of 1348	1148	reqe.exe	16
PID 1148 wrote to memory of 1348	1148	reqe.exe	16
PID 1148 wrote to memory of 1408	1148	reqe.exe	26
PID 1148 wrote to memory of 1408	1148	reqe.exe	26
PID 1148 wrote to memory of 1408	1148	reqe.exe	26
PID 1148 wrote to memory of 1408	1148	reqe.exe	26
PID 1148 wrote to memory of 1408	1148	reqe.exe	26
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28
PID 1408 wrote to memory of 1556	1408	7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe	28

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1348
- C:\Users\Admin\AppData\Local\Temp\7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe
  "C:\Users\Admin\AppData\Local\Temp\7e0635764b5780aedcb4126c661e4859f61a0e2a64c9dc5d8db00c94fa02f164.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Users\Admin\AppData\Roaming\Emac\reqe.exe
    "C:\Users\Admin\AppData\Roaming\Emac\reqe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf1453693.bat"
    3⤵
    - Deletes itself
    PID:1556

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf1453693.bat

Filesize
307B

MD5
7f189a649fde476f2f75bee22ef41d5b

SHA1
1aa94986173749add8351a9112e5ae8bf5d4ee46

SHA256
3b0d507df960b60e30ad7ddbfa863ef6f1f7a97994d38aba6598f53d1e02edef

SHA512
e5213bd8c99f662c91c5c75ad7ddc7eb99371df1f0e408a58b9d80295d04510a11879b55a1f581f20a7cb43a9ebfb1132be0f0f83357adf6342b81c6aaeecd4a

Download Submit
C:\Users\Admin\AppData\Roaming\Emac\reqe.exe

Filesize
301KB

MD5
a4bbb0c2f1a880df41528d88efa67299

SHA1
3513cbaf01a217d05332491685f123d0fbe98020

SHA256
6d4390bb2694f7b9d9de775ea9322b82963e3b3e63214e55b213cd857874c415

SHA512
a6af689ec16e1ed1492bbf68b4ca39cd3bd68ad310137c696916319b16d8bfff53c8041671b3494e25742796bcc1002ea4b0e2056fef6f53d49b9f60281f3493

Download Submit
C:\Users\Admin\AppData\Roaming\Emac\reqe.exe

Filesize
301KB

MD5
a4bbb0c2f1a880df41528d88efa67299

SHA1
3513cbaf01a217d05332491685f123d0fbe98020

SHA256
6d4390bb2694f7b9d9de775ea9322b82963e3b3e63214e55b213cd857874c415

SHA512
a6af689ec16e1ed1492bbf68b4ca39cd3bd68ad310137c696916319b16d8bfff53c8041671b3494e25742796bcc1002ea4b0e2056fef6f53d49b9f60281f3493

Download Submit
\Users\Admin\AppData\Roaming\Emac\reqe.exe

Filesize
301KB

MD5
a4bbb0c2f1a880df41528d88efa67299

SHA1
3513cbaf01a217d05332491685f123d0fbe98020

SHA256
6d4390bb2694f7b9d9de775ea9322b82963e3b3e63214e55b213cd857874c415

SHA512
a6af689ec16e1ed1492bbf68b4ca39cd3bd68ad310137c696916319b16d8bfff53c8041671b3494e25742796bcc1002ea4b0e2056fef6f53d49b9f60281f3493

Download Submit
\Users\Admin\AppData\Roaming\Emac\reqe.exe

Filesize
301KB

MD5
a4bbb0c2f1a880df41528d88efa67299

SHA1
3513cbaf01a217d05332491685f123d0fbe98020

SHA256
6d4390bb2694f7b9d9de775ea9322b82963e3b3e63214e55b213cd857874c415

SHA512
a6af689ec16e1ed1492bbf68b4ca39cd3bd68ad310137c696916319b16d8bfff53c8041671b3494e25742796bcc1002ea4b0e2056fef6f53d49b9f60281f3493

Download Submit
memory/1148-59-0x0000000000000000-mapping.dmp

Download
memory/1200-65-0x0000000001F50000-0x0000000001F98000-memory.dmp

Filesize
288KB

Download
memory/1200-67-0x0000000001F50000-0x0000000001F98000-memory.dmp

Filesize
288KB

Download
memory/1200-70-0x0000000001F50000-0x0000000001F98000-memory.dmp

Filesize
288KB

Download
memory/1200-69-0x0000000001F50000-0x0000000001F98000-memory.dmp

Filesize
288KB

Download
memory/1200-68-0x0000000001F50000-0x0000000001F98000-memory.dmp

Filesize
288KB

Download
memory/1308-73-0x00000000001A0000-0x00000000001E8000-memory.dmp

Filesize
288KB

Download
memory/1308-74-0x00000000001A0000-0x00000000001E8000-memory.dmp

Filesize
288KB

Download
memory/1308-75-0x00000000001A0000-0x00000000001E8000-memory.dmp

Filesize
288KB

Download
memory/1308-76-0x00000000001A0000-0x00000000001E8000-memory.dmp

Filesize
288KB

Download
memory/1348-82-0x0000000002630000-0x0000000002678000-memory.dmp

Filesize
288KB

Download
memory/1348-81-0x0000000002630000-0x0000000002678000-memory.dmp

Filesize
288KB

Download
memory/1348-79-0x0000000002630000-0x0000000002678000-memory.dmp

Filesize
288KB

Download
memory/1348-80-0x0000000002630000-0x0000000002678000-memory.dmp

Filesize
288KB

Download
memory/1408-86-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1408-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-85-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1408-87-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1408-88-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1408-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-103-0x0000000000450000-0x0000000000498000-memory.dmp

Filesize
288KB

Download
memory/1408-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1408-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1408-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1556-99-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/1556-101-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/1556-102-0x00000000001BBBB4-mapping.dmp

Download
memory/1556-100-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/1556-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1556-97-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download
memory/1556-113-0x00000000001B0000-0x00000000001F8000-memory.dmp

Filesize
288KB

Download