5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e

General

Target

5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe
Size

197KB
MD5

130521f198d904fa539df1116618577e
SHA1

d802aeaa10742fb6878a847699aeb236827275db
SHA256

5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e
SHA512

a5980afb3ee4500b9fada845e8dc47311c5d10128fb795236b43c8b31724680fc264d33abb055d6f6aebd0074b29abf5f044c514726f8e25563dc12a27bff1af
SSDEEP

3072:5R9ANQza33Z4UX4NWEd5GYS3kIyZFQsvgUYi62vSJpQ8HP+aJe1mgawzxsBub864:5R9AiXCIFNPkHmTV5nxTV5n+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
860	system

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Khvqmxu\Parameters\ServiceDll = "C:\\PROGRA~1\\Qdorm\\Hopop.dll"	rundll32.exe

Loads dropped DLL 3 IoCs

pid	Process
4640	rundll32.exe
4144	svchost.exe
860	system

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bak8011252.log	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Qdorm\Hopop.dll	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	system
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	system
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	system
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	system
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	system

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4640	rundll32.exe
4640	rundll32.exe
860	system
860	system
860	system
860	system

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4640	2064	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	81
PID 2064 wrote to memory of 4640	2064	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	81
PID 2064 wrote to memory of 4640	2064	5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe	81
PID 4144 wrote to memory of 860	4144	svchost.exe	83
PID 4144 wrote to memory of 860	4144	svchost.exe	83
PID 4144 wrote to memory of 860	4144	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe
"C:\Users\Admin\AppData\Local\Temp\5ba4d079885944e7ab16303798d8ab3c9aa12a922ecb739b3715f8aa0d15421e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2064
- C:\windows\SysWOW64\rundll32.exe
  C:\windows\system32\rundll32.exe C:\PROGRA~1\Qdorm\Hopop.dll comdl3
  2⤵
  - Sets DLL path for service in the registry
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k krnlsrvc
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144
- C:\system
  C:\system c:\progra~1\qdorm\hopop.dll comdl2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\Qdorm\Hopop.dll

Filesize
30.2MB

MD5
34c3c8a94cfed51cae430451ef2f64c3

SHA1
b17a004f3ce9a3f2add4fafb38e0d9c96e903614

SHA256
1485200d77da139ded1094ff91bf0e7e294a1a41a08694445559f4b203402d07

SHA512
737e4613a6698ba4158a4b435763af017d08b8e71b35258a16715e5ab3edd83f6c1dad7545c64306a80c2f3fcbb8cb33e208b4ec6b6c0a891eb8893325327161

Download Submit
C:\Program Files\Qdorm\Hopop.dll

Filesize
30.2MB

MD5
34c3c8a94cfed51cae430451ef2f64c3

SHA1
b17a004f3ce9a3f2add4fafb38e0d9c96e903614

SHA256
1485200d77da139ded1094ff91bf0e7e294a1a41a08694445559f4b203402d07

SHA512
737e4613a6698ba4158a4b435763af017d08b8e71b35258a16715e5ab3edd83f6c1dad7545c64306a80c2f3fcbb8cb33e208b4ec6b6c0a891eb8893325327161

Download Submit
C:\Program Files\Qdorm\Hopop.dll

Filesize
30.2MB

MD5
34c3c8a94cfed51cae430451ef2f64c3

SHA1
b17a004f3ce9a3f2add4fafb38e0d9c96e903614

SHA256
1485200d77da139ded1094ff91bf0e7e294a1a41a08694445559f4b203402d07

SHA512
737e4613a6698ba4158a4b435763af017d08b8e71b35258a16715e5ab3edd83f6c1dad7545c64306a80c2f3fcbb8cb33e208b4ec6b6c0a891eb8893325327161

Download Submit
C:\Program Files\Qdorm\Hopop.dll

Filesize
30.2MB

MD5
34c3c8a94cfed51cae430451ef2f64c3

SHA1
b17a004f3ce9a3f2add4fafb38e0d9c96e903614

SHA256
1485200d77da139ded1094ff91bf0e7e294a1a41a08694445559f4b203402d07

SHA512
737e4613a6698ba4158a4b435763af017d08b8e71b35258a16715e5ab3edd83f6c1dad7545c64306a80c2f3fcbb8cb33e208b4ec6b6c0a891eb8893325327161

Download Submit
C:\Windows\SysWOW64\bak8011252.log

Filesize
102B

MD5
088c8d8b9471db96d131ac89898c3714

SHA1
765c76fd882ef53238361acbd8a89949cc1353a3

SHA256
53c06375e1be83581e1fe44beae337a9b773f28fcabf65e861b239decf080365

SHA512
66d15da39c32afaaadf218fe2a665f44cca837b59fb3cfda0e663cbe187f91c814c4152654c2b58638fa94d5812786236f4f2285d48ab435a582953784296ea5

Download Submit
C:\system

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\system

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/2064-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing