b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438

General

Target

b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
Size

301KB
MD5

725db6d333c21672bb2656381a4c8e7e
SHA1

bfc4d112be7ec6e3c08b081af1c78931adf1b81f
SHA256

b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438
SHA512

6f7c8c53f737505bb525a57545ee3e799244b91f3dbd2adc7b92e6247b351504b2a65e031ab84f0e174f6b17b870ab71d051d78a576131aaf11e2e1bc6df06b6
SSDEEP

6144:YVDPnPsHhCHPeZMA7cJtuoR8n1HqpjstiOpnnscJ3+:0PnPjPe2CjBntAonsI

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

aqha.exe

pid process

756 aqha.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe

pid	process
1636	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe

pid	process
564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aqha.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run	aqha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aqha = "C:\\Users\\Admin\\AppData\\Roaming\\Koeti\\aqha.exe"	aqha.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe

description pid process target process

PID 564 set thread context of 1636 564 b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe cmd.exe

description	pid	process	target process
PID 564 set thread context of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

aqha.exe

pid	process
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe
756	aqha.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exeaqha.exe

description	pid	process	target process
PID 564 wrote to memory of 756	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	aqha.exe
PID 564 wrote to memory of 756	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	aqha.exe
PID 564 wrote to memory of 756	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	aqha.exe
PID 564 wrote to memory of 756	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	aqha.exe
PID 756 wrote to memory of 1132	756	aqha.exe	taskhost.exe
PID 756 wrote to memory of 1132	756	aqha.exe	taskhost.exe
PID 756 wrote to memory of 1132	756	aqha.exe	taskhost.exe
PID 756 wrote to memory of 1132	756	aqha.exe	taskhost.exe
PID 756 wrote to memory of 1132	756	aqha.exe	taskhost.exe
PID 756 wrote to memory of 1188	756	aqha.exe	Dwm.exe
PID 756 wrote to memory of 1188	756	aqha.exe	Dwm.exe
PID 756 wrote to memory of 1188	756	aqha.exe	Dwm.exe
PID 756 wrote to memory of 1188	756	aqha.exe	Dwm.exe
PID 756 wrote to memory of 1188	756	aqha.exe	Dwm.exe
PID 756 wrote to memory of 1280	756	aqha.exe	Explorer.EXE
PID 756 wrote to memory of 1280	756	aqha.exe	Explorer.EXE
PID 756 wrote to memory of 1280	756	aqha.exe	Explorer.EXE
PID 756 wrote to memory of 1280	756	aqha.exe	Explorer.EXE
PID 756 wrote to memory of 1280	756	aqha.exe	Explorer.EXE
PID 756 wrote to memory of 564	756	aqha.exe	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
PID 756 wrote to memory of 564	756	aqha.exe	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
PID 756 wrote to memory of 564	756	aqha.exe	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
PID 756 wrote to memory of 564	756	aqha.exe	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
PID 756 wrote to memory of 564	756	aqha.exe	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 564 wrote to memory of 1636	564	b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe	cmd.exe
PID 756 wrote to memory of 1616	756	aqha.exe	conhost.exe
PID 756 wrote to memory of 1616	756	aqha.exe	conhost.exe
PID 756 wrote to memory of 1616	756	aqha.exe	conhost.exe
PID 756 wrote to memory of 1616	756	aqha.exe	conhost.exe
PID 756 wrote to memory of 1616	756	aqha.exe	conhost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe
"C:\Users\Admin\AppData\Local\Temp\b24d06b3fece7bd7adc4664197cb3419487d232b383f3144359a9dbe13b16438.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\Koeti\aqha.exe
"C:\Users\Admin\AppData\Roaming\Koeti\aqha.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\MRM736.bat"
3⤵
- Deletes itself
PID:1636

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "378509179108173890412684214043644137561448652313-210388188185847193-145058591"
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MRM736.bat
Filesize
302B

MD5
1dbaaf7f50b104aa0303abc3c82c09f9

SHA1
a04efae97a5f7ffecd77ffe94ed3cb732807ac52

SHA256
ec91c9ac40a830e4893789936fde03f51c1c501811c373af6bba8d6ccaf0ce3a

SHA512
d3bd42f429ee1fa64f2dbc1f2d7626e113e718e381c58d7747b10a7a467195bf0f5bfde1f41f825fabd7ddf4e904e028a3f8a4b229f70d57384ec05a2c8a96eb

Download Submit
C:\Users\Admin\AppData\Roaming\Koeti\aqha.exe
Filesize
301KB

MD5
dc561ff90f422ed4bdc592554956af14

SHA1
babdeb4b9ee152d07f8abf1aa8264e039087634d

SHA256
5c8a9f30752a0670891e7891a052d023bb8e88745696f598585c5363586e831d

SHA512
bfa9e9d1c9045ca1d5aa42ec7852a543c11829a1634055295efce7b2f954650c72ad6554226c9451d26469b9f901f0e80050ea75e11e87e2fc6e80830bd115c6

Download Submit
C:\Users\Admin\AppData\Roaming\Koeti\aqha.exe
Filesize
301KB

MD5
dc561ff90f422ed4bdc592554956af14

SHA1
babdeb4b9ee152d07f8abf1aa8264e039087634d

SHA256
5c8a9f30752a0670891e7891a052d023bb8e88745696f598585c5363586e831d

SHA512
bfa9e9d1c9045ca1d5aa42ec7852a543c11829a1634055295efce7b2f954650c72ad6554226c9451d26469b9f901f0e80050ea75e11e87e2fc6e80830bd115c6

Download Submit
\Users\Admin\AppData\Roaming\Koeti\aqha.exe
Filesize
301KB

MD5
dc561ff90f422ed4bdc592554956af14

SHA1
babdeb4b9ee152d07f8abf1aa8264e039087634d

SHA256
5c8a9f30752a0670891e7891a052d023bb8e88745696f598585c5363586e831d

SHA512
bfa9e9d1c9045ca1d5aa42ec7852a543c11829a1634055295efce7b2f954650c72ad6554226c9451d26469b9f901f0e80050ea75e11e87e2fc6e80830bd115c6

Download Submit
\Users\Admin\AppData\Roaming\Koeti\aqha.exe
Filesize
301KB

MD5
dc561ff90f422ed4bdc592554956af14

SHA1
babdeb4b9ee152d07f8abf1aa8264e039087634d

SHA256
5c8a9f30752a0670891e7891a052d023bb8e88745696f598585c5363586e831d

SHA512
bfa9e9d1c9045ca1d5aa42ec7852a543c11829a1634055295efce7b2f954650c72ad6554226c9451d26469b9f901f0e80050ea75e11e87e2fc6e80830bd115c6

Download Submit
memory/564-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-56-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/564-88-0x0000000001D00000-0x0000000001D49000-memory.dmp

Filesize
292KB

Download
memory/564-57-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/564-55-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/564-97-0x0000000001D00000-0x0000000001D49000-memory.dmp

Filesize
292KB

Download
memory/564-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/564-89-0x0000000001D00000-0x0000000001D49000-memory.dmp

Filesize
292KB

Download
memory/564-87-0x0000000001D00000-0x0000000001D49000-memory.dmp

Filesize
292KB

Download
memory/564-96-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/564-90-0x0000000001D00000-0x0000000001D49000-memory.dmp

Filesize
292KB

Download
memory/756-60-0x0000000000000000-mapping.dmp

Download
memory/756-63-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1132-71-0x0000000001D30000-0x0000000001D79000-memory.dmp

Filesize
292KB

Download
memory/1132-72-0x0000000001D30000-0x0000000001D79000-memory.dmp

Filesize
292KB

Download
memory/1132-67-0x0000000001D30000-0x0000000001D79000-memory.dmp

Filesize
292KB

Download
memory/1132-69-0x0000000001D30000-0x0000000001D79000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001D30000-0x0000000001D79000-memory.dmp

Filesize
292KB

Download
memory/1188-77-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1188-78-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1188-76-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1188-75-0x0000000001E90000-0x0000000001ED9000-memory.dmp

Filesize
292KB

Download
memory/1280-81-0x0000000002710000-0x0000000002759000-memory.dmp

Filesize
292KB

Download
memory/1280-82-0x0000000002710000-0x0000000002759000-memory.dmp

Filesize
292KB

Download
memory/1280-83-0x0000000002710000-0x0000000002759000-memory.dmp

Filesize
292KB

Download
memory/1280-84-0x0000000002710000-0x0000000002759000-memory.dmp

Filesize
292KB

Download
memory/1616-108-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1616-111-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1616-110-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1616-109-0x00000000001C0000-0x0000000000209000-memory.dmp

Filesize
292KB

Download
memory/1636-104-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1636-105-0x0000000000083B6A-mapping.dmp

Download
memory/1636-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1636-103-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1636-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-114-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1636-120-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1636-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads