41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1

General

Target

41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
Size

301KB
MD5

cca597e426209a0373c5b8745c3a7216
SHA1

8ef0d72ed3e3e2257edb7de2f3c2aef2d55491f1
SHA256

41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1
SHA512

82ba50788ceae87ba1898aba135089eacf617356002f9f357a77f4cce632496f6e4e4e6c0df4133e06c2d4fdd02563649e5453ce67b056c19e2da0ea82cc3e4f
SSDEEP

6144:G/Wn+55zf3baKml6ZVhrakPIJPwINJxdWbMcFi:rcLalLPwINLdWbM

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

oqqiu.exe

pid process

992 oqqiu.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1548 cmd.exe

pid	process
1548	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe

pid	process
1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oqqiu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	oqqiu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\{0F2E54C8-3777-AD4D-74EB-E9074BCFCA1A} = "C:\\Users\\Admin\\AppData\\Roaming\\Sizime\\oqqiu.exe"	oqqiu.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe

description	pid	process	target process
PID 1300 set thread context of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

oqqiu.exe

pid	process
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe
992	oqqiu.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exeoqqiu.exe

description	pid	process	target process
PID 1300 wrote to memory of 992	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	oqqiu.exe
PID 1300 wrote to memory of 992	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	oqqiu.exe
PID 1300 wrote to memory of 992	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	oqqiu.exe
PID 1300 wrote to memory of 992	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	oqqiu.exe
PID 992 wrote to memory of 1108	992	oqqiu.exe	taskhost.exe
PID 992 wrote to memory of 1108	992	oqqiu.exe	taskhost.exe
PID 992 wrote to memory of 1108	992	oqqiu.exe	taskhost.exe
PID 992 wrote to memory of 1108	992	oqqiu.exe	taskhost.exe
PID 992 wrote to memory of 1108	992	oqqiu.exe	taskhost.exe
PID 992 wrote to memory of 1204	992	oqqiu.exe	Dwm.exe
PID 992 wrote to memory of 1204	992	oqqiu.exe	Dwm.exe
PID 992 wrote to memory of 1204	992	oqqiu.exe	Dwm.exe
PID 992 wrote to memory of 1204	992	oqqiu.exe	Dwm.exe
PID 992 wrote to memory of 1204	992	oqqiu.exe	Dwm.exe
PID 992 wrote to memory of 1252	992	oqqiu.exe	Explorer.EXE
PID 992 wrote to memory of 1252	992	oqqiu.exe	Explorer.EXE
PID 992 wrote to memory of 1252	992	oqqiu.exe	Explorer.EXE
PID 992 wrote to memory of 1252	992	oqqiu.exe	Explorer.EXE
PID 992 wrote to memory of 1252	992	oqqiu.exe	Explorer.EXE
PID 992 wrote to memory of 1300	992	oqqiu.exe	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
PID 992 wrote to memory of 1300	992	oqqiu.exe	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
PID 992 wrote to memory of 1300	992	oqqiu.exe	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
PID 992 wrote to memory of 1300	992	oqqiu.exe	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
PID 992 wrote to memory of 1300	992	oqqiu.exe	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe
PID 1300 wrote to memory of 1548	1300	41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe
"C:\Users\Admin\AppData\Local\Temp\41ddf7585f39b6b9e7919ff4b788f31744e95a0afef7eead46164a9e8b8c9da1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe
"C:\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpebdf354d.bat"
3⤵
- Deletes itself
PID:1548

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1204

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpebdf354d.bat
Filesize
307B

MD5
229b96d52b00309ab9ac71cdb10ba729

SHA1
5c1d4af8aa8d01583574967329dcfe9739370a8d

SHA256
6bc0431032d3acbdebd72005c3c9475e54c3866e1c85fecd658fbabc1293e3b7

SHA512
b2617db2af3e4190db161229d4fca13c9bc252f77aa3e21d1b5b5185f97bbb8477c1c8526d9f5eb8bc039996ab8dcc4dc31021b08289d9d443fe1770d101a5db

Download Submit
C:\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe
Filesize
301KB

MD5
760be1346180357449be29329fb3d8f8

SHA1
0352749c0174a0481c699e6d05c30ffbba4939c3

SHA256
4b8e43eb4eda3bad5beff333de394e92126aa01466cf16126e0ba92c66126291

SHA512
910512ec48020a6db14d0c28512df77394563711369eb8fa465ac47428a8d42d75882bda8befc7cef2c821a05cfd067119a69d0a4aea1e966c0b8f6665f169e6

Download Submit
C:\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe
Filesize
301KB

MD5
760be1346180357449be29329fb3d8f8

SHA1
0352749c0174a0481c699e6d05c30ffbba4939c3

SHA256
4b8e43eb4eda3bad5beff333de394e92126aa01466cf16126e0ba92c66126291

SHA512
910512ec48020a6db14d0c28512df77394563711369eb8fa465ac47428a8d42d75882bda8befc7cef2c821a05cfd067119a69d0a4aea1e966c0b8f6665f169e6

Download Submit
\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe
Filesize
301KB

MD5
760be1346180357449be29329fb3d8f8

SHA1
0352749c0174a0481c699e6d05c30ffbba4939c3

SHA256
4b8e43eb4eda3bad5beff333de394e92126aa01466cf16126e0ba92c66126291

SHA512
910512ec48020a6db14d0c28512df77394563711369eb8fa465ac47428a8d42d75882bda8befc7cef2c821a05cfd067119a69d0a4aea1e966c0b8f6665f169e6

Download Submit
\Users\Admin\AppData\Roaming\Sizime\oqqiu.exe
Filesize
301KB

MD5
760be1346180357449be29329fb3d8f8

SHA1
0352749c0174a0481c699e6d05c30ffbba4939c3

SHA256
4b8e43eb4eda3bad5beff333de394e92126aa01466cf16126e0ba92c66126291

SHA512
910512ec48020a6db14d0c28512df77394563711369eb8fa465ac47428a8d42d75882bda8befc7cef2c821a05cfd067119a69d0a4aea1e966c0b8f6665f169e6

Download Submit
memory/992-59-0x0000000000000000-mapping.dmp

Download
memory/1108-65-0x0000000001D80000-0x0000000001DC8000-memory.dmp

Filesize
288KB

Download
memory/1108-67-0x0000000001D80000-0x0000000001DC8000-memory.dmp

Filesize
288KB

Download
memory/1108-68-0x0000000001D80000-0x0000000001DC8000-memory.dmp

Filesize
288KB

Download
memory/1108-69-0x0000000001D80000-0x0000000001DC8000-memory.dmp

Filesize
288KB

Download
memory/1108-70-0x0000000001D80000-0x0000000001DC8000-memory.dmp

Filesize
288KB

Download
memory/1204-73-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1204-74-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1204-75-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1204-76-0x0000000000130000-0x0000000000178000-memory.dmp

Filesize
288KB

Download
memory/1252-82-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1252-81-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1252-80-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1252-79-0x0000000002950000-0x0000000002998000-memory.dmp

Filesize
288KB

Download
memory/1300-86-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1300-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-85-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1300-55-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1300-87-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1300-88-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1300-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-103-0x0000000000460000-0x00000000004A8000-memory.dmp

Filesize
288KB

Download
memory/1300-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1300-54-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1300-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1548-100-0x0000000000090000-0x00000000000D8000-memory.dmp

Filesize
288KB

Download
memory/1548-101-0x0000000000090000-0x00000000000D8000-memory.dmp

Filesize
288KB

Download
memory/1548-102-0x000000000009BBB4-mapping.dmp

Download
memory/1548-99-0x0000000000090000-0x00000000000D8000-memory.dmp

Filesize
288KB

Download
memory/1548-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1548-97-0x0000000000090000-0x00000000000D8000-memory.dmp

Filesize
288KB

Download
memory/1548-113-0x0000000000090000-0x00000000000D8000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads