613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-10-2022 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
Size

923KB
MD5

9196a1445ad984c1b1b38b8ed52c3940
SHA1

aa261424294874cc761770e64829b15c3e72d1bb
SHA256

613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48
SHA512

e34574cd61f8e244eabd1ebe93b602f278a6ce09643fa9811abd66a8753c0419bace3b00a6ab0a23d0295527faa47135358c232a4917cb47ae66ac6f2451038a
SSDEEP

24576:WRmJkcoQricOIQxiZY1iarii4S7zNOqZ4BirV:zJZoQrbTFZY1iarii4S7f4gh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1728	xuqu.exe
1932	xuqu.exe

Deletes itself 1 IoCs

pid	Process
832	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	xuqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{4F1EECAA-D85A-D679-B744-220C9C4FFF64} = "C:\\Users\\Admin\\AppData\\Roaming\\Ileg\\xuqu.exe"	xuqu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000a0000000132f6-67.dat	autoit_exe
behavioral1/files/0x000a0000000132f6-69.dat	autoit_exe
behavioral1/files/0x000a0000000132f6-71.dat	autoit_exe
behavioral1/files/0x000a0000000132f6-80.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1728 set thread context of 1932	1728	xuqu.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe
1932	xuqu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
Token: SeSecurityPrivilege	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
Token: SeSecurityPrivilege	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1728	xuqu.exe
1728	xuqu.exe
1728	xuqu.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
1728	xuqu.exe
1728	xuqu.exe
1728	xuqu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1828 wrote to memory of 1748	1828	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	27
PID 1748 wrote to memory of 1728	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	28
PID 1748 wrote to memory of 1728	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	28
PID 1748 wrote to memory of 1728	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	28
PID 1748 wrote to memory of 1728	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	28
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1728 wrote to memory of 1932	1728	xuqu.exe	29
PID 1932 wrote to memory of 1112	1932	xuqu.exe	10
PID 1932 wrote to memory of 1112	1932	xuqu.exe	10
PID 1932 wrote to memory of 1112	1932	xuqu.exe	10
PID 1932 wrote to memory of 1112	1932	xuqu.exe	10
PID 1932 wrote to memory of 1112	1932	xuqu.exe	10
PID 1932 wrote to memory of 1172	1932	xuqu.exe	17
PID 1932 wrote to memory of 1172	1932	xuqu.exe	17
PID 1932 wrote to memory of 1172	1932	xuqu.exe	17
PID 1932 wrote to memory of 1172	1932	xuqu.exe	17
PID 1932 wrote to memory of 1172	1932	xuqu.exe	17
PID 1932 wrote to memory of 1212	1932	xuqu.exe	15
PID 1932 wrote to memory of 1212	1932	xuqu.exe	15
PID 1932 wrote to memory of 1212	1932	xuqu.exe	15
PID 1932 wrote to memory of 1212	1932	xuqu.exe	15
PID 1932 wrote to memory of 1212	1932	xuqu.exe	15
PID 1932 wrote to memory of 1748	1932	xuqu.exe	27
PID 1932 wrote to memory of 1748	1932	xuqu.exe	27
PID 1932 wrote to memory of 1748	1932	xuqu.exe	27
PID 1932 wrote to memory of 1748	1932	xuqu.exe	27
PID 1932 wrote to memory of 1748	1932	xuqu.exe	27
PID 1748 wrote to memory of 832	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	30
PID 1748 wrote to memory of 832	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	30
PID 1748 wrote to memory of 832	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	30
PID 1748 wrote to memory of 832	1748	613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe	30
PID 1932 wrote to memory of 832	1932	xuqu.exe	30
PID 1932 wrote to memory of 832	1932	xuqu.exe	30
PID 1932 wrote to memory of 832	1932	xuqu.exe	30
PID 1932 wrote to memory of 832	1932	xuqu.exe	30
PID 1932 wrote to memory of 832	1932	xuqu.exe	30
PID 1932 wrote to memory of 1992	1932	xuqu.exe	31
PID 1932 wrote to memory of 1320	1932	xuqu.exe	32
PID 1932 wrote to memory of 1320	1932	xuqu.exe	32
PID 1932 wrote to memory of 1320	1932	xuqu.exe	32
PID 1932 wrote to memory of 1320	1932	xuqu.exe	32
PID 1932 wrote to memory of 1320	1932	xuqu.exe	32
PID 1932 wrote to memory of 1808	1932	xuqu.exe	33
PID 1932 wrote to memory of 1808	1932	xuqu.exe	33
PID 1932 wrote to memory of 1808	1932	xuqu.exe	33
PID 1932 wrote to memory of 1808	1932	xuqu.exe	33
PID 1932 wrote to memory of 1808	1932	xuqu.exe	33
PID 1932 wrote to memory of 2000	1932	xuqu.exe	34
PID 1932 wrote to memory of 2000	1932	xuqu.exe	34
PID 1932 wrote to memory of 2000	1932	xuqu.exe	34
PID 1932 wrote to memory of 2000	1932	xuqu.exe	34

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
  "C:\Users\Admin\AppData\Local\Temp\613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe
    "C:\Users\Admin\AppData\Local\Temp\613e5cae13064cfe7c5a21d5698b18b5184cbf586a1826ab8457f694310ccb48.exe"
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe
      "C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe
        
        "C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7e40e83a.bat"
      4⤵
      Deletes itself
      PID:832

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3119493771438832212742793866-1665390612-63225239512350814825179880341409239703"
1⤵
PID:1992

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1320

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2000

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7e40e83a.bat

Filesize
307B

MD5
02404f961fc5c0027b86fd9ab90c91c5

SHA1
bb9b70228928507dba6ed048bf2767d96165acf7

SHA256
d5e839beafd73dd7dfe5d87921ccca112d99ed5c6d512e8f028aec475f5522ab

SHA512
cc011eeb63ab6f652a745077d9503bdbc566b28f8898b6df4c5a65f28b83a8c48fef9f52fe7f85faacb5317eada4b976743d550ed11b541a10ed4caa0602270d

Download Submit
C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe

Filesize
923KB

MD5
1f3829a2a428b74b3665263ed3df4203

SHA1
4675d3582260194e862733f810558dfc8d5e5349

SHA256
6f003fbb853cd5eca77f8357b95d954923a710ae9310e78e3a4e2603dd77ab6b

SHA512
c28d4a1af2773e12cdb11e338bbed61b2cf4f0c63f70ab060811ad2a4dc0ec95028d2255e678601ef7c4e161dfdceecf8a2a9536a16e228d899d3ceca5f3cef4

Download Submit
C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe

Filesize
923KB

MD5
1f3829a2a428b74b3665263ed3df4203

SHA1
4675d3582260194e862733f810558dfc8d5e5349

SHA256
6f003fbb853cd5eca77f8357b95d954923a710ae9310e78e3a4e2603dd77ab6b

SHA512
c28d4a1af2773e12cdb11e338bbed61b2cf4f0c63f70ab060811ad2a4dc0ec95028d2255e678601ef7c4e161dfdceecf8a2a9536a16e228d899d3ceca5f3cef4

Download Submit
C:\Users\Admin\AppData\Roaming\Ileg\xuqu.exe

Filesize
923KB

MD5
1f3829a2a428b74b3665263ed3df4203

SHA1
4675d3582260194e862733f810558dfc8d5e5349

SHA256
6f003fbb853cd5eca77f8357b95d954923a710ae9310e78e3a4e2603dd77ab6b

SHA512
c28d4a1af2773e12cdb11e338bbed61b2cf4f0c63f70ab060811ad2a4dc0ec95028d2255e678601ef7c4e161dfdceecf8a2a9536a16e228d899d3ceca5f3cef4

Download Submit
C:\Users\Admin\AppData\Roaming\Vodu\baawe.fiu

Filesize
398B

MD5
b417057b65331a8de2829c10fa0e49d0

SHA1
2db0d867b3dacf0b809d90351ae369d3209b89bc

SHA256
7bb957473178562c7d906ab5121ce613aa5e996b52a9f98d332743a23384446c

SHA512
8f46922de31f4cb81bcd406257cf2b47b31a8bf91b9054e55a96aff5060c8fa50152ceef58dc0bc9b6a6aab510df9084bc560e279200fd11a61c6770de615f95

Download Submit
\Users\Admin\AppData\Roaming\Ileg\xuqu.exe

Filesize
923KB

MD5
1f3829a2a428b74b3665263ed3df4203

SHA1
4675d3582260194e862733f810558dfc8d5e5349

SHA256
6f003fbb853cd5eca77f8357b95d954923a710ae9310e78e3a4e2603dd77ab6b

SHA512
c28d4a1af2773e12cdb11e338bbed61b2cf4f0c63f70ab060811ad2a4dc0ec95028d2255e678601ef7c4e161dfdceecf8a2a9536a16e228d899d3ceca5f3cef4

Download Submit
memory/832-115-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/832-113-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/832-114-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/832-116-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/1112-85-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1112-86-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1112-87-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1112-88-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/1172-94-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1172-93-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1172-91-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1172-92-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/1212-99-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1212-97-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1212-98-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1212-100-0x0000000002A00000-0x0000000002A27000-memory.dmp

Filesize
156KB

Download
memory/1320-123-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1320-126-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1320-125-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1320-124-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/1748-110-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-106-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1748-65-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-109-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1748-105-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1748-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-103-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1748-58-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-55-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1748-104-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1808-130-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1808-129-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1808-131-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1808-132-0x0000000003A50000-0x0000000003A77000-memory.dmp

Filesize
156KB

Download
memory/1828-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1932-120-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1932-108-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download