1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1

General

Target

1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
Size

341KB
MD5

fe7d0c5786b24efc2b7e6520a24ccf4c
SHA1

be0f2a8a108426c514d3c4d5819b87b921b41e52
SHA256

1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1
SHA512

bfc1e350ea9365f94183db17dca728a3ce89421beaef1381bb09c2e823e3765bc5563c77459767c300a79e5cacba404bfdd32b77046c99ed912d37c0dfcdee9c
SSDEEP

6144:h2TX+xO9QNaDyPk9gcTher8o/xPh+PWmp2k98mrjI3s:hqXsO98a+cter8kPMxp2Jc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qoheyr.exe

pid process

3552 qoheyr.exe

pid	process
3552	qoheyr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qoheyr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	qoheyr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoheyr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Uvxug\\qoheyr.exe"	qoheyr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe

description pid process target process

PID 3952 set thread context of 364 3952 1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe cmd.exe

description	pid	process	target process
PID 3952 set thread context of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exeqoheyr.exe

pid	process
3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe
3552	qoheyr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exeqoheyr.exe

description	pid	process	target process
PID 3952 wrote to memory of 3552	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	qoheyr.exe
PID 3952 wrote to memory of 3552	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	qoheyr.exe
PID 3952 wrote to memory of 3552	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	qoheyr.exe
PID 3552 wrote to memory of 2708	3552	qoheyr.exe	sihost.exe
PID 3552 wrote to memory of 2708	3552	qoheyr.exe	sihost.exe
PID 3552 wrote to memory of 2708	3552	qoheyr.exe	sihost.exe
PID 3552 wrote to memory of 2708	3552	qoheyr.exe	sihost.exe
PID 3552 wrote to memory of 2708	3552	qoheyr.exe	sihost.exe
PID 3552 wrote to memory of 2772	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 2772	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 2772	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 2772	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 2772	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 2900	3552	qoheyr.exe	taskhostw.exe
PID 3552 wrote to memory of 2900	3552	qoheyr.exe	taskhostw.exe
PID 3552 wrote to memory of 2900	3552	qoheyr.exe	taskhostw.exe
PID 3552 wrote to memory of 2900	3552	qoheyr.exe	taskhostw.exe
PID 3552 wrote to memory of 2900	3552	qoheyr.exe	taskhostw.exe
PID 3552 wrote to memory of 512	3552	qoheyr.exe	Explorer.EXE
PID 3552 wrote to memory of 512	3552	qoheyr.exe	Explorer.EXE
PID 3552 wrote to memory of 512	3552	qoheyr.exe	Explorer.EXE
PID 3552 wrote to memory of 512	3552	qoheyr.exe	Explorer.EXE
PID 3552 wrote to memory of 512	3552	qoheyr.exe	Explorer.EXE
PID 3552 wrote to memory of 3076	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 3076	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 3076	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 3076	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 3076	3552	qoheyr.exe	svchost.exe
PID 3552 wrote to memory of 3288	3552	qoheyr.exe	DllHost.exe
PID 3552 wrote to memory of 3288	3552	qoheyr.exe	DllHost.exe
PID 3552 wrote to memory of 3288	3552	qoheyr.exe	DllHost.exe
PID 3552 wrote to memory of 3288	3552	qoheyr.exe	DllHost.exe
PID 3552 wrote to memory of 3288	3552	qoheyr.exe	DllHost.exe
PID 3552 wrote to memory of 3380	3552	qoheyr.exe	StartMenuExperienceHost.exe
PID 3552 wrote to memory of 3380	3552	qoheyr.exe	StartMenuExperienceHost.exe
PID 3552 wrote to memory of 3380	3552	qoheyr.exe	StartMenuExperienceHost.exe
PID 3552 wrote to memory of 3380	3552	qoheyr.exe	StartMenuExperienceHost.exe
PID 3552 wrote to memory of 3380	3552	qoheyr.exe	StartMenuExperienceHost.exe
PID 3552 wrote to memory of 3456	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3456	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3456	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3456	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3456	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3540	3552	qoheyr.exe	SearchApp.exe
PID 3552 wrote to memory of 3540	3552	qoheyr.exe	SearchApp.exe
PID 3552 wrote to memory of 3540	3552	qoheyr.exe	SearchApp.exe
PID 3552 wrote to memory of 3540	3552	qoheyr.exe	SearchApp.exe
PID 3552 wrote to memory of 3540	3552	qoheyr.exe	SearchApp.exe
PID 3552 wrote to memory of 3720	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3720	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3720	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3720	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3720	3552	qoheyr.exe	RuntimeBroker.exe
PID 3552 wrote to memory of 3952	3552	qoheyr.exe	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
PID 3552 wrote to memory of 3952	3552	qoheyr.exe	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
PID 3552 wrote to memory of 3952	3552	qoheyr.exe	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
PID 3552 wrote to memory of 3952	3552	qoheyr.exe	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
PID 3552 wrote to memory of 3952	3552	qoheyr.exe	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe
PID 3952 wrote to memory of 364	3952	1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe	cmd.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2772

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe
"C:\Users\Admin\AppData\Local\Temp\1df466615b70a7197e894b3ec333ce134593cb6932c74dcdf6491e3c5f7224a1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\Uvxug\qoheyr.exe
"C:\Users\Admin\AppData\Local\Temp\Uvxug\qoheyr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SZR5B93.bat"
3⤵
PID:364

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:748

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3456

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3076

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SZR5B93.bat

Filesize
284B

MD5
eb5346ff53b1466fb4f40b20c7f790d1

SHA1
b0619f57c5638fc3b48b0e088889d4cc456387b5

SHA256
6a64e5a2fc839f671a87314e024f87e1901d6e28dbc0b676055110b9bb91e81d

SHA512
b3133488adf1899ba9daeb34bfa2e7124808ff0df5a6cf5dbd5f9c2c336b4db9dba1685f461947202e8bb8a9cab7c61604bcccc110b6483d43fb4ab18a33ab37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uvxug\qoheyr.exe

Filesize
341KB

MD5
c8811afaede8d155aeb21b55a1820d3c

SHA1
6a5046d88739b3f9c2485340ded3de126c84d0c8

SHA256
49e6b61dac10e489f5cb5f3d622cf1f53efb3013023119e7030b3ec421aaacff

SHA512
b5f07b0985a376a84ed7beab8650edc16d3507aaa953972d596b9b832a91051d1c9fddb6776af21e0683345886fbd3d67c6fc64eb2e63d40cd9daa7f98e8cacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uvxug\qoheyr.exe

Filesize
341KB

MD5
c8811afaede8d155aeb21b55a1820d3c

SHA1
6a5046d88739b3f9c2485340ded3de126c84d0c8

SHA256
49e6b61dac10e489f5cb5f3d622cf1f53efb3013023119e7030b3ec421aaacff

SHA512
b5f07b0985a376a84ed7beab8650edc16d3507aaa953972d596b9b832a91051d1c9fddb6776af21e0683345886fbd3d67c6fc64eb2e63d40cd9daa7f98e8cacb

Download Submit
memory/364-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-155-0x0000000000FB0000-0x0000000000FF2000-memory.dmp

Filesize
264KB

Download
memory/364-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/364-146-0x0000000000000000-mapping.dmp

Download
memory/364-147-0x0000000000FB0000-0x0000000000FF2000-memory.dmp

Filesize
264KB

Download
memory/3552-134-0x0000000000000000-mapping.dmp

Download
memory/3952-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-145-0x00000000006C0000-0x0000000000702000-memory.dmp

Filesize
264KB

Download
memory/3952-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3952-132-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/3952-133-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads