2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe

General

Target

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
Size

270KB
MD5

b956bce75c05e483f6b6e5a87a78da60
SHA1

cfa722912249d42d8f713918ea85f02c1f9e22d1
SHA256

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe
SHA512

6f73a55cce3f91726342b05d5170a29dfa5407c7f8360339ae65a7bcad4226e65a41030650b659f59b843d01a902a163379d1650bd9b98abda107254c11439fb
SSDEEP

3072:F90nbyJIZIascP+NjVyBjA+ACL/eUNZItRoHHjAD0M1BQBKOnFpJCGGGGG9M2hd:keCfs4+VCA+FL2UNZlH6loK7GGGGGG2D

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

aqvu.exeaqvu.exe

pid process

1184 aqvu.exe
1384 aqvu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

748 cmd.exe

pid	process
1184	aqvu.exe
1384	aqvu.exe

pid	process
748	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe

pid	process
828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\Currentversion\Run	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exeaqvu.exe

description	pid	process	target process
PID 1552 set thread context of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1184 set thread context of 1384	1184	aqvu.exe	aqvu.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3FB84378-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aqvu.exe

pid process

1384 aqvu.exe
1384 aqvu.exe

pid	process
1384	aqvu.exe
1384	aqvu.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
Token: SeManageVolumePrivilege	816	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

816 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

816 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

816 WinMail.exe

pid	process
816	WinMail.exe

pid	process
816	WinMail.exe

pid	process
816	WinMail.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exeaqvu.exeaqvu.exeexplorer.exe

description	pid	process	target process
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 1552 wrote to memory of 828	1552	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
PID 828 wrote to memory of 1184	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	aqvu.exe
PID 828 wrote to memory of 1184	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	aqvu.exe
PID 828 wrote to memory of 1184	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	aqvu.exe
PID 828 wrote to memory of 1184	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 1184 wrote to memory of 1384	1184	aqvu.exe	aqvu.exe
PID 828 wrote to memory of 748	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 828 wrote to memory of 748	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 828 wrote to memory of 748	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 828 wrote to memory of 748	828	2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe	cmd.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 1384 wrote to memory of 280	1384	aqvu.exe	explorer.exe
PID 280 wrote to memory of 1284	280	explorer.exe	Explorer.EXE
PID 280 wrote to memory of 1284	280	explorer.exe	Explorer.EXE
PID 280 wrote to memory of 1284	280	explorer.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
"C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe
"C:\Users\Admin\AppData\Local\Temp\2f9ca514375d3d060d375c500a948bf4d80e2d83b08c82cc4a33f532b77b67fe.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe
"C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe
"C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
6⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp12358190.bat"
4⤵
- Deletes itself
PID:748

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp12358190.bat

Filesize
307B

MD5
6f36b6e74ad1e928f0dbdf0ba89d862e

SHA1
53cba88552da3c36776dd71453563727a94f1813

SHA256
928b744edb10473ebecff369b9ffa53305c9fdd0dff8ca294872b27b51e6f3e3

SHA512
24204348bef2d6ccc1acc100362e56814e568f90011a5963fd78122effe0ba5205f2478de85a4c37cd8c6f3d9b7ff8b14ad888e76845df25e1d1ec635da33cf4

Download Submit
C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe

Filesize
270KB

MD5
3e44dfea42fb938c435dbf060b1ce96a

SHA1
8e5b5749ea26f48bd058db519173a205298f642e

SHA256
50e5bcb0ddd09081fb6f31408790e6f24368b90ebd95c72bacf87885d4916ac9

SHA512
34e82ec069ce3564d5ec6a0af902ca1286b5da66468c46ce92731b5e8e1d10f61d81fddc4c002e5c2c540bda496868477a6aeec3b0286c9aeab503f2adff1e73

Download Submit
C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe

Filesize
270KB

MD5
3e44dfea42fb938c435dbf060b1ce96a

SHA1
8e5b5749ea26f48bd058db519173a205298f642e

SHA256
50e5bcb0ddd09081fb6f31408790e6f24368b90ebd95c72bacf87885d4916ac9

SHA512
34e82ec069ce3564d5ec6a0af902ca1286b5da66468c46ce92731b5e8e1d10f61d81fddc4c002e5c2c540bda496868477a6aeec3b0286c9aeab503f2adff1e73

Download Submit
C:\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe

Filesize
270KB

MD5
3e44dfea42fb938c435dbf060b1ce96a

SHA1
8e5b5749ea26f48bd058db519173a205298f642e

SHA256
50e5bcb0ddd09081fb6f31408790e6f24368b90ebd95c72bacf87885d4916ac9

SHA512
34e82ec069ce3564d5ec6a0af902ca1286b5da66468c46ce92731b5e8e1d10f61d81fddc4c002e5c2c540bda496868477a6aeec3b0286c9aeab503f2adff1e73

Download Submit
\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe

Filesize
270KB

MD5
3e44dfea42fb938c435dbf060b1ce96a

SHA1
8e5b5749ea26f48bd058db519173a205298f642e

SHA256
50e5bcb0ddd09081fb6f31408790e6f24368b90ebd95c72bacf87885d4916ac9

SHA512
34e82ec069ce3564d5ec6a0af902ca1286b5da66468c46ce92731b5e8e1d10f61d81fddc4c002e5c2c540bda496868477a6aeec3b0286c9aeab503f2adff1e73

Download Submit
\Users\Admin\AppData\Roaming\Zyosda\aqvu.exe

Filesize
270KB

MD5
3e44dfea42fb938c435dbf060b1ce96a

SHA1
8e5b5749ea26f48bd058db519173a205298f642e

SHA256
50e5bcb0ddd09081fb6f31408790e6f24368b90ebd95c72bacf87885d4916ac9

SHA512
34e82ec069ce3564d5ec6a0af902ca1286b5da66468c46ce92731b5e8e1d10f61d81fddc4c002e5c2c540bda496868477a6aeec3b0286c9aeab503f2adff1e73

Download Submit
memory/280-102-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-100-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-107-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-103-0x0000000000000000-mapping.dmp

Download
memory/280-97-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-101-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-98-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-106-0x0000000074621000-0x0000000074623000-memory.dmp

Filesize
8KB

Download
memory/280-99-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/280-124-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/748-93-0x0000000000000000-mapping.dmp

Download
memory/816-116-0x0000000002000000-0x0000000002010000-memory.dmp

Filesize
64KB

Download
memory/816-110-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/816-109-0x000007FEF57F1000-0x000007FEF57F3000-memory.dmp

Filesize
8KB

Download
memory/816-108-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/828-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-55-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-96-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/828-64-0x000000000041F9EB-mapping.dmp

Download
memory/828-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1184-73-0x0000000000000000-mapping.dmp

Download
memory/1384-86-0x000000000041F9EB-mapping.dmp

Download
memory/1384-122-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1384-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1384-92-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1552-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads