7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4

General

Target

7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
Size

252KB
MD5

2e039a2c2780ce64e13cab0d8092ff45
SHA1

232282496576b1b9962eebf8fdfaf87b351f3851
SHA256

7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4
SHA512

f1239af8dc2488096a6dfa9c694380bc55f98da45cfdb0a6868d9c12624a1faabadf0b6ca5df902fc79b812a6a87b3bc94e96c2b7774b13a635c59475c045ce1
SSDEEP

1536:aKIwL0+zscRbgE3vo97thU0CNY+cdoFlVxEz/c2JYO8VUmnbfzFHfz8sFBpYWC/g:1l0+7gYg9bVtgfzFHfzb51QRPr8GDiX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

maoqouj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	maoqouj.exe

Executes dropped EXE 1 IoCs

Processes:

maoqouj.exe

pid process

1748 maoqouj.exe

Loads dropped DLL 2 IoCs

Processes:

7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe

pid	process
1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

maoqouj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /X"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /S"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /k"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /t"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /R"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /a"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /u"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /L"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /A"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /O"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /Y"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /w"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /y"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /n"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /b"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /e"	maoqouj.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /F"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /W"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /m"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /I"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /D"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /g"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /r"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /B"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /Q"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /E"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /M"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /o"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /v"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /q"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /i"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /K"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /Z"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /p"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /C"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /z"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /J"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /l"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /V"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /G"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /x"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /c"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /T"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /d"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /H"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /j"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /U"	maoqouj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\maoqouj = "C:\\Users\\Admin\\maoqouj.exe /s"	maoqouj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

maoqouj.exe

pid	process
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe
1748	maoqouj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exemaoqouj.exe

pid process

1808 7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
1748 maoqouj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exemaoqouj.exe

description	pid	process	target process
PID 1808 wrote to memory of 1748	1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe	maoqouj.exe
PID 1808 wrote to memory of 1748	1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe	maoqouj.exe
PID 1808 wrote to memory of 1748	1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe	maoqouj.exe
PID 1808 wrote to memory of 1748	1808	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe	maoqouj.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
PID 1748 wrote to memory of 1808	1748	maoqouj.exe	7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe

C:\Users\Admin\AppData\Local\Temp\7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe
"C:\Users\Admin\AppData\Local\Temp\7aaf1e24e15699ba7ab4ea7e0453e26b76e03b9e40175f444b29474da276e0c4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\maoqouj.exe
"C:\Users\Admin\maoqouj.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\maoqouj.exe

Filesize
252KB

MD5
278fa3826a627fb987ca5761cc219690

SHA1
0f2929c34f7191b20f6ef59f9a20eedcd81985b1

SHA256
4674b375abad6a8ba4b4f4e98b14b491d4551a1a1c1d7e67228f50b37e92145a

SHA512
298cfcd7f5878390d4282de9943ec8011ac9d78f1a2ff85d0ca76b11208f9238cc9a0e0e5ec4608a7688c030133030ee98a2fe844026359a4b2bf70074828682

Download Submit
C:\Users\Admin\maoqouj.exe

Filesize
252KB

MD5
278fa3826a627fb987ca5761cc219690

SHA1
0f2929c34f7191b20f6ef59f9a20eedcd81985b1

SHA256
4674b375abad6a8ba4b4f4e98b14b491d4551a1a1c1d7e67228f50b37e92145a

SHA512
298cfcd7f5878390d4282de9943ec8011ac9d78f1a2ff85d0ca76b11208f9238cc9a0e0e5ec4608a7688c030133030ee98a2fe844026359a4b2bf70074828682

Download Submit
\Users\Admin\maoqouj.exe

Filesize
252KB

MD5
278fa3826a627fb987ca5761cc219690

SHA1
0f2929c34f7191b20f6ef59f9a20eedcd81985b1

SHA256
4674b375abad6a8ba4b4f4e98b14b491d4551a1a1c1d7e67228f50b37e92145a

SHA512
298cfcd7f5878390d4282de9943ec8011ac9d78f1a2ff85d0ca76b11208f9238cc9a0e0e5ec4608a7688c030133030ee98a2fe844026359a4b2bf70074828682

Download Submit
\Users\Admin\maoqouj.exe

Filesize
252KB

MD5
278fa3826a627fb987ca5761cc219690

SHA1
0f2929c34f7191b20f6ef59f9a20eedcd81985b1

SHA256
4674b375abad6a8ba4b4f4e98b14b491d4551a1a1c1d7e67228f50b37e92145a

SHA512
298cfcd7f5878390d4282de9943ec8011ac9d78f1a2ff85d0ca76b11208f9238cc9a0e0e5ec4608a7688c030133030ee98a2fe844026359a4b2bf70074828682

Download Submit
memory/1748-59-0x0000000000000000-mapping.dmp

Download
memory/1808-56-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads