6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
Size

228KB
MD5

683972d3db620655aeb076a2da1dbad0
SHA1

30911d7ae02aa2760e7d1c11e9929793984d7147
SHA256

6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa
SHA512

4fc097747cedf1a14f885efa02d9a603b4a992ee61e20948de45715b41aecea79619fcb6689b41c14a7c5628accf2e7108c50e52a3e0312cf443253ba669c4f4
SSDEEP

3072:mMuyeoi3/uRmhxJ5avGJSfme2E/7rBPiQKFw7W/m5qZdWABO4dj41v/:mMlrMJ0uJSfDB/tZNU/nVHj41v/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1984	qaixm.exe
1952	qaixm.exe

Deletes itself 1 IoCs

pid	Process
980	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1372 set thread context of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1984 set thread context of 1952	1984	qaixm.exe	30

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\2F944F46-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1952	qaixm.exe
1952	qaixm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
Token: SeManageVolumePrivilege	1700	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1700	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1700	WinMail.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
1984	qaixm.exe
1700	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1372 wrote to memory of 1692	1372	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	28
PID 1692 wrote to memory of 1984	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	29
PID 1692 wrote to memory of 1984	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	29
PID 1692 wrote to memory of 1984	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	29
PID 1692 wrote to memory of 1984	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	29
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1984 wrote to memory of 1952	1984	qaixm.exe	30
PID 1692 wrote to memory of 980	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	31
PID 1692 wrote to memory of 980	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	31
PID 1692 wrote to memory of 980	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	31
PID 1692 wrote to memory of 980	1692	6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe	31
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1952 wrote to memory of 1476	1952	qaixm.exe	32
PID 1476 wrote to memory of 1384	1476	explorer.exe	15
PID 1476 wrote to memory of 1384	1476	explorer.exe	15
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1232	1952	qaixm.exe	17
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1320	1952	qaixm.exe	16
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1384	1952	qaixm.exe	15
PID 1952 wrote to memory of 1700	1952	qaixm.exe	34
PID 1952 wrote to memory of 1700	1952	qaixm.exe	34
PID 1952 wrote to memory of 1700	1952	qaixm.exe	34
PID 1952 wrote to memory of 1700	1952	qaixm.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
  "C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
    C:\Users\Admin\AppData\Local\Temp\6f1090217874809b3ab32fef4b84fa8ea3173fc29c256c1e7d04a4f5754f16fa.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe
      "C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe
        
        C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1476
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp730125a7.bat"
      4⤵
      Deletes itself
      PID:980

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1320

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1232

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1260

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp730125a7.bat

Filesize
307B

MD5
ade8f2b3091bc26be14ec62ae70b44f9

SHA1
03ba59dc18236aa5cb675b661a1058a4dfa1d23c

SHA256
d4a9cd11ef5e40f28b4917ea22336ca9d6f84ab2112271aeea51666030f691fd

SHA512
fb00fcf4e925224ca0e89433b4da1d2763f180c99230e873545701f03342742bbaf602bf2c5d1c2d0631dc286fb37414c34343386625332e0109ff1631330418

Download Submit
C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe

Filesize
228KB

MD5
2d7764d8258831a27acb89eab6334c9b

SHA1
e0cc49580256e36c3b11daf7a481f079dd19faa2

SHA256
89914c0394d0584e60c8f72a193e179e2f8b347ff49fda353f3ac61ffd292c91

SHA512
f3f98ab72f276d021fd77196b6c098e9c51bfc63e64bdf187696ca34ca67acd33e6bbcc44733a1bca83310406f4f757e0cbc368e2838bdc388fb77700995c715

Download Submit
C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe

Filesize
228KB

MD5
2d7764d8258831a27acb89eab6334c9b

SHA1
e0cc49580256e36c3b11daf7a481f079dd19faa2

SHA256
89914c0394d0584e60c8f72a193e179e2f8b347ff49fda353f3ac61ffd292c91

SHA512
f3f98ab72f276d021fd77196b6c098e9c51bfc63e64bdf187696ca34ca67acd33e6bbcc44733a1bca83310406f4f757e0cbc368e2838bdc388fb77700995c715

Download Submit
C:\Users\Admin\AppData\Roaming\Sooke\qaixm.exe

Filesize
228KB

MD5
2d7764d8258831a27acb89eab6334c9b

SHA1
e0cc49580256e36c3b11daf7a481f079dd19faa2

SHA256
89914c0394d0584e60c8f72a193e179e2f8b347ff49fda353f3ac61ffd292c91

SHA512
f3f98ab72f276d021fd77196b6c098e9c51bfc63e64bdf187696ca34ca67acd33e6bbcc44733a1bca83310406f4f757e0cbc368e2838bdc388fb77700995c715

Download Submit
\Users\Admin\AppData\Roaming\Sooke\qaixm.exe

Filesize
228KB

MD5
2d7764d8258831a27acb89eab6334c9b

SHA1
e0cc49580256e36c3b11daf7a481f079dd19faa2

SHA256
89914c0394d0584e60c8f72a193e179e2f8b347ff49fda353f3ac61ffd292c91

SHA512
f3f98ab72f276d021fd77196b6c098e9c51bfc63e64bdf187696ca34ca67acd33e6bbcc44733a1bca83310406f4f757e0cbc368e2838bdc388fb77700995c715

Download Submit
\Users\Admin\AppData\Roaming\Sooke\qaixm.exe

Filesize
228KB

MD5
2d7764d8258831a27acb89eab6334c9b

SHA1
e0cc49580256e36c3b11daf7a481f079dd19faa2

SHA256
89914c0394d0584e60c8f72a193e179e2f8b347ff49fda353f3ac61ffd292c91

SHA512
f3f98ab72f276d021fd77196b6c098e9c51bfc63e64bdf187696ca34ca67acd33e6bbcc44733a1bca83310406f4f757e0cbc368e2838bdc388fb77700995c715

Download Submit
memory/1232-121-0x0000000000210000-0x000000000023C000-memory.dmp

Filesize
176KB

Download
memory/1232-123-0x0000000000210000-0x000000000023C000-memory.dmp

Filesize
176KB

Download
memory/1232-122-0x0000000000210000-0x000000000023C000-memory.dmp

Filesize
176KB

Download
memory/1232-124-0x0000000000210000-0x000000000023C000-memory.dmp

Filesize
176KB

Download
memory/1232-119-0x0000000000210000-0x000000000023C000-memory.dmp

Filesize
176KB

Download
memory/1320-127-0x0000000001B40000-0x0000000001B6C000-memory.dmp

Filesize
176KB

Download
memory/1320-129-0x0000000001B40000-0x0000000001B6C000-memory.dmp

Filesize
176KB

Download
memory/1320-130-0x0000000001B40000-0x0000000001B6C000-memory.dmp

Filesize
176KB

Download
memory/1320-131-0x0000000001B40000-0x0000000001B6C000-memory.dmp

Filesize
176KB

Download
memory/1320-132-0x0000000001B40000-0x0000000001B6C000-memory.dmp

Filesize
176KB

Download
memory/1372-64-0x0000000000310000-0x0000000000314000-memory.dmp

Filesize
16KB

Download
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1476-93-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-96-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-95-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-94-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-97-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-92-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-166-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1476-100-0x00000000752C1000-0x00000000752C3000-memory.dmp

Filesize
8KB

Download
memory/1476-101-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/1692-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-88-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1700-104-0x000007FEF6D91000-0x000007FEF6D93000-memory.dmp

Filesize
8KB

Download
memory/1700-105-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1700-111-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1700-103-0x000007FEFC371000-0x000007FEFC373000-memory.dmp

Filesize
8KB

Download
memory/1952-102-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download