d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511

Analysis

max time kernel
172s
max time network
186s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe
Size

301KB
MD5

90375d6f4609762178bfff4cf8c26128
SHA1

e94a3f3e650a6dc2fef3a5d4de5d1988c9ec4f1a
SHA256

d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511
SHA512

611e441172c6f1e1df76c55c4a71f9b1326b950aea4c89c76b164dcba26397f1aa675a3703867fbcbcd905bc7b82079ce64c8b4678e8ba193b680379f3c15451
SSDEEP

6144:XNuRO5JtJH+vvOh1R48zsY3IqgOUYAVUpFAz8TwViigqHnih:XKO7H+v2HTswvUYJAYgHih

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1668	qyixem.exe

Deletes itself 1 IoCs

pid	Process
1960	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe
1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	qyixem.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qyixem = "C:\\Users\\Admin\\AppData\\Roaming\\Yhjab\\qyixem.exe"	qyixem.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe
1668	qyixem.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1668	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	28
PID 1720 wrote to memory of 1668	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	28
PID 1720 wrote to memory of 1668	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	28
PID 1720 wrote to memory of 1668	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	28
PID 1668 wrote to memory of 1116	1668	qyixem.exe	11
PID 1668 wrote to memory of 1116	1668	qyixem.exe	11
PID 1668 wrote to memory of 1116	1668	qyixem.exe	11
PID 1668 wrote to memory of 1116	1668	qyixem.exe	11
PID 1668 wrote to memory of 1116	1668	qyixem.exe	11
PID 1668 wrote to memory of 1176	1668	qyixem.exe	10
PID 1668 wrote to memory of 1176	1668	qyixem.exe	10
PID 1668 wrote to memory of 1176	1668	qyixem.exe	10
PID 1668 wrote to memory of 1176	1668	qyixem.exe	10
PID 1668 wrote to memory of 1176	1668	qyixem.exe	10
PID 1668 wrote to memory of 1216	1668	qyixem.exe	9
PID 1668 wrote to memory of 1216	1668	qyixem.exe	9
PID 1668 wrote to memory of 1216	1668	qyixem.exe	9
PID 1668 wrote to memory of 1216	1668	qyixem.exe	9
PID 1668 wrote to memory of 1216	1668	qyixem.exe	9
PID 1668 wrote to memory of 1720	1668	qyixem.exe	6
PID 1668 wrote to memory of 1720	1668	qyixem.exe	6
PID 1668 wrote to memory of 1720	1668	qyixem.exe	6
PID 1668 wrote to memory of 1720	1668	qyixem.exe	6
PID 1668 wrote to memory of 1720	1668	qyixem.exe	6
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29
PID 1720 wrote to memory of 1960	1720	d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe	29

C:\Users\Admin\AppData\Local\Temp\d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe
"C:\Users\Admin\AppData\Local\Temp\d0e5fdfce2e4d593c33a9ede752218ff707b78d6b0008e9d5fd5f04a01dbe511.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe
  "C:\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\IQG198A.bat"
  2⤵
  - Deletes itself
  PID:1960

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IQG198A.bat

Filesize
303B

MD5
5b2a07c3d8e140e1e90955199a63cdc2

SHA1
d474e50ba6014113a6d864cc8b5962558ac28726

SHA256
e1a20a77a09fe94d6a131097df7eb1a17bde9313d900f355d001385b62be4d45

SHA512
f41f876b367056948185420287e309de64f8a19449f6b8dc6f2f4ce1740fe81fdad58072362b5efe04f5cb5c6684acabe0f3aee0093c98794662aadbfe537e6e

Download Submit
C:\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe

Filesize
301KB

MD5
303767450c88d978626d827867124d64

SHA1
1685078aad4451b99b1c3d6fba4b24234d65090d

SHA256
63eb0476f5e44e80af9811b117202cb5f297462e5d388c3fcfaa05bc45ed4096

SHA512
0e2f0f8f07979cf5a103e34afd1d050b2f5586fca07d4436f1b7abb4b7cf5d0e187f644d7ff51e7e94c5fb76df86469457587b45cfa71e4144e58357c628301b

Download Submit
C:\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe

Filesize
301KB

MD5
303767450c88d978626d827867124d64

SHA1
1685078aad4451b99b1c3d6fba4b24234d65090d

SHA256
63eb0476f5e44e80af9811b117202cb5f297462e5d388c3fcfaa05bc45ed4096

SHA512
0e2f0f8f07979cf5a103e34afd1d050b2f5586fca07d4436f1b7abb4b7cf5d0e187f644d7ff51e7e94c5fb76df86469457587b45cfa71e4144e58357c628301b

Download Submit
\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe

Filesize
301KB

MD5
303767450c88d978626d827867124d64

SHA1
1685078aad4451b99b1c3d6fba4b24234d65090d

SHA256
63eb0476f5e44e80af9811b117202cb5f297462e5d388c3fcfaa05bc45ed4096

SHA512
0e2f0f8f07979cf5a103e34afd1d050b2f5586fca07d4436f1b7abb4b7cf5d0e187f644d7ff51e7e94c5fb76df86469457587b45cfa71e4144e58357c628301b

Download Submit
\Users\Admin\AppData\Roaming\Yhjab\qyixem.exe

Filesize
301KB

MD5
303767450c88d978626d827867124d64

SHA1
1685078aad4451b99b1c3d6fba4b24234d65090d

SHA256
63eb0476f5e44e80af9811b117202cb5f297462e5d388c3fcfaa05bc45ed4096

SHA512
0e2f0f8f07979cf5a103e34afd1d050b2f5586fca07d4436f1b7abb4b7cf5d0e187f644d7ff51e7e94c5fb76df86469457587b45cfa71e4144e58357c628301b

Download Submit
memory/1116-67-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-70-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-69-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-68-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-65-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1216-82-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-81-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-79-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-80-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1668-62-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1720-87-0x0000000001F20000-0x0000000001F69000-memory.dmp

Filesize
292KB

Download
memory/1720-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-85-0x0000000001F20000-0x0000000001F69000-memory.dmp

Filesize
292KB

Download
memory/1720-86-0x0000000001F20000-0x0000000001F69000-memory.dmp

Filesize
292KB

Download
memory/1720-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1720-88-0x0000000001F20000-0x0000000001F69000-memory.dmp

Filesize
292KB

Download
memory/1720-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-102-0x0000000001F20000-0x0000000001F71000-memory.dmp

Filesize
324KB

Download
memory/1720-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1720-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1720-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1720-104-0x0000000001F20000-0x0000000001F69000-memory.dmp

Filesize
292KB

Download
memory/1960-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1960-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1960-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1960-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1960-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1960-114-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download