8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7

Analysis

max time kernel
154s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe
Size

355KB
MD5

11f552e658b00d4a05a2881c1ae83b81
SHA1

e191e0c6839d6655ea3da377a70638f4e69d7490
SHA256

8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7
SHA512

ccb6283fcc4db118478911b82cf48cfe75e13f46c265953992510ac0b04ddebc5b4cb094e9aed08a8d03a02c40c95de97cdbec296b8917ee60058fa0baaa8c4b
SSDEEP

6144:5kH1CNBlRqTDxpUMgZZjUytUTNotV//0C2F/RZ5sG82zp2LhfbMXifzPIPDAZ:NvlRqTDxpUMgnjIytF//2F/RZ5820Ltr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3208	owepf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{176762F4-556D-BCA0-3AE4-8903F7119301} = "C:\\Users\\Admin\\AppData\\Roaming\\Qifi\\owepf.exe"	owepf.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	owepf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 4168	2072	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	82

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe
3208	owepf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3208	2072	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	81
PID 2072 wrote to memory of 3208	2072	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	81
PID 2072 wrote to memory of 3208	2072	8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe	81
PID 3208 wrote to memory of 2528	3208	owepf.exe	49
PID 3208 wrote to memory of 2528	3208	owepf.exe	49
PID 3208 wrote to memory of 2528	3208	owepf.exe	49
PID 3208 wrote to memory of 2528	3208	owepf.exe	49
PID 3208 wrote to memory of 2528	3208	owepf.exe	49
PID 3208 wrote to memory of 2560	3208	owepf.exe	48
PID 3208 wrote to memory of 2560	3208	owepf.exe	48
PID 3208 wrote to memory of 2560	3208	owepf.exe	48
PID 3208 wrote to memory of 2560	3208	owepf.exe	48
PID 3208 wrote to memory of 2560	3208	owepf.exe	48
PID 3208 wrote to memory of 2812	3208	owepf.exe	43
PID 3208 wrote to memory of 2812	3208	owepf.exe	43
PID 3208 wrote to memory of 2812	3208	owepf.exe	43
PID 3208 wrote to memory of 2812	3208	owepf.exe	43
PID 3208 wrote to memory of 2812	3208	owepf.exe	43
PID 3208 wrote to memory of 2804	3208	owepf.exe	42
PID 3208 wrote to memory of 2804	3208	owepf.exe	42
PID 3208 wrote to memory of 2804	3208	owepf.exe	42
PID 3208 wrote to memory of 2804	3208	owepf.exe	42
PID 3208 wrote to memory of 2804	3208	owepf.exe	42
PID 3208 wrote to memory of 3092	3208	owepf.exe	17
PID 3208 wrote to memory of 3092	3208	owepf.exe	17
PID 3208 wrote to memory of 3092	3208	owepf.exe	17
PID 3208 wrote to memory of 3092	3208	owepf.exe	17
PID 3208 wrote to memory of 3092	3208	owepf.exe	17
PID 3208 wrote to memory of 3304	3208	owepf.exe	41
PID 3208 wrote to memory of 3304	3208	owepf.exe	41
PID 3208 wrote to memory of 3304	3208	owepf.exe	41
PID 3208 wrote to memory of 3304	3208	owepf.exe	41
PID 3208 wrote to memory of 3304	3208	owepf.exe	41
PID 3208 wrote to memory of 3392	3208	owepf.exe	40
PID 3208 wrote to memory of 3392	3208	owepf.exe	40
PID 3208 wrote to memory of 3392	3208	owepf.exe	40
PID 3208 wrote to memory of 3392	3208	owepf.exe	40
PID 3208 wrote to memory of 3392	3208	owepf.exe	40
PID 3208 wrote to memory of 3464	3208	owepf.exe	39
PID 3208 wrote to memory of 3464	3208	owepf.exe	39
PID 3208 wrote to memory of 3464	3208	owepf.exe	39
PID 3208 wrote to memory of 3464	3208	owepf.exe	39
PID 3208 wrote to memory of 3464	3208	owepf.exe	39
PID 3208 wrote to memory of 3556	3208	owepf.exe	18
PID 3208 wrote to memory of 3556	3208	owepf.exe	18
PID 3208 wrote to memory of 3556	3208	owepf.exe	18
PID 3208 wrote to memory of 3556	3208	owepf.exe	18
PID 3208 wrote to memory of 3556	3208	owepf.exe	18
PID 3208 wrote to memory of 3808	3208	owepf.exe	19
PID 3208 wrote to memory of 3808	3208	owepf.exe	19
PID 3208 wrote to memory of 3808	3208	owepf.exe	19
PID 3208 wrote to memory of 3808	3208	owepf.exe	19
PID 3208 wrote to memory of 3808	3208	owepf.exe	19
PID 3208 wrote to memory of 4684	3208	owepf.exe	21
PID 3208 wrote to memory of 4684	3208	owepf.exe	21
PID 3208 wrote to memory of 4684	3208	owepf.exe	21
PID 3208 wrote to memory of 4684	3208	owepf.exe	21
PID 3208 wrote to memory of 4684	3208	owepf.exe	21
PID 3208 wrote to memory of 4480	3208	owepf.exe	36
PID 3208 wrote to memory of 4480	3208	owepf.exe	36
PID 3208 wrote to memory of 4480	3208	owepf.exe	36
PID 3208 wrote to memory of 4480	3208	owepf.exe	36
PID 3208 wrote to memory of 4480	3208	owepf.exe	36
PID 3208 wrote to memory of 2072	3208	owepf.exe	80

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3092

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3556

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe
  "C:\Users\Admin\AppData\Local\Temp\8d31cac0e934cefc7992a33b3e978ea47e45d1c20544476f67a61dde9dc258c7.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Roaming\Qifi\owepf.exe
    "C:\Users\Admin\AppData\Roaming\Qifi\owepf.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3208
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3a71ff5e.bat"
    3⤵
    PID:4168

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2560

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3a71ff5e.bat

Filesize
307B

MD5
0478d75424fba27c921389f890b336cf

SHA1
55f944e94150644113f76bc0662fb041d48f48d5

SHA256
8a22e115db61883abd792c31b28916c9a98ee5efd2f47a842d13a03614a21258

SHA512
db3660fd04fd95ae743cde859af868b75537983f8cb556a103ebcee11195f74e2019208b1b1c21dd3f067a22609cae929964e1873103213683dd519b752cffea

Download Submit
C:\Users\Admin\AppData\Roaming\Qifi\owepf.exe

Filesize
355KB

MD5
76ec0503fa42069863120b74b2d4a41c

SHA1
8defba1b4f2515beb9bd372143e2b4f91fa422ad

SHA256
96799c3dda1eb3514e6698f52f9d407481558889b21e90f522f756394a90613d

SHA512
22a0927f0254b578ac00b9dfdee03c86083264f9f3eaab6da46ad05103966b74a8b5bf11f7ee95f3bbe7216bef12d50d449572488a772b25ffefb65cba3cdeb8

Download Submit
C:\Users\Admin\AppData\Roaming\Qifi\owepf.exe

Filesize
355KB

MD5
76ec0503fa42069863120b74b2d4a41c

SHA1
8defba1b4f2515beb9bd372143e2b4f91fa422ad

SHA256
96799c3dda1eb3514e6698f52f9d407481558889b21e90f522f756394a90613d

SHA512
22a0927f0254b578ac00b9dfdee03c86083264f9f3eaab6da46ad05103966b74a8b5bf11f7ee95f3bbe7216bef12d50d449572488a772b25ffefb65cba3cdeb8

Download Submit
memory/2072-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-145-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-137-0x00000000021B0000-0x00000000021F7000-memory.dmp

Filesize
284KB

Download
memory/2072-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2072-149-0x00000000022D0000-0x0000000002317000-memory.dmp

Filesize
284KB

Download
memory/2072-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2072-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2072-148-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2072-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3208-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3208-139-0x0000000002080000-0x00000000020C7000-memory.dmp

Filesize
284KB

Download
memory/3208-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4168-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-156-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-158-0x0000000000A00000-0x0000000000A47000-memory.dmp

Filesize
284KB

Download
memory/4168-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4168-147-0x0000000000A00000-0x0000000000A47000-memory.dmp

Filesize
284KB

Download