d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2

General

Target

d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
Size

304KB
MD5

c30ccdcf9d08cb32f21f30138aee4bf4
SHA1

16ccef637353eef88da6b476fd6edb8d7c08531c
SHA256

d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2
SHA512

474a498027e3b7ec79d817020ea90662945cbb553913de3eec89226f51e324be682e6c0abfd14a9422cc9e8625d529b4025b183c7a17553617cf66bdc1fff18d
SSDEEP

6144:ihnqsd6VLR98xm7BtzilD3PZI7u+3tqd1w2dBMSXW:iRqdNx7KlEdgw9D

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

amawaq.exe

pid process

788 amawaq.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

684 cmd.exe

pid	process
684	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe

pid	process
872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amawaq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	amawaq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amawaq = "C:\\Users\\Admin\\AppData\\Roaming\\Iwpyer\\amawaq.exe"	amawaq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe

description pid process target process

PID 872 set thread context of 684 872 d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe cmd.exe

description	pid	process	target process
PID 872 set thread context of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

amawaq.exe

pid	process
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe
788	amawaq.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exeamawaq.exe

description	pid	process	target process
PID 872 wrote to memory of 788	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	amawaq.exe
PID 872 wrote to memory of 788	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	amawaq.exe
PID 872 wrote to memory of 788	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	amawaq.exe
PID 872 wrote to memory of 788	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	amawaq.exe
PID 788 wrote to memory of 1128	788	amawaq.exe	taskhost.exe
PID 788 wrote to memory of 1128	788	amawaq.exe	taskhost.exe
PID 788 wrote to memory of 1128	788	amawaq.exe	taskhost.exe
PID 788 wrote to memory of 1128	788	amawaq.exe	taskhost.exe
PID 788 wrote to memory of 1128	788	amawaq.exe	taskhost.exe
PID 788 wrote to memory of 1188	788	amawaq.exe	Dwm.exe
PID 788 wrote to memory of 1188	788	amawaq.exe	Dwm.exe
PID 788 wrote to memory of 1188	788	amawaq.exe	Dwm.exe
PID 788 wrote to memory of 1188	788	amawaq.exe	Dwm.exe
PID 788 wrote to memory of 1188	788	amawaq.exe	Dwm.exe
PID 788 wrote to memory of 1244	788	amawaq.exe	Explorer.EXE
PID 788 wrote to memory of 1244	788	amawaq.exe	Explorer.EXE
PID 788 wrote to memory of 1244	788	amawaq.exe	Explorer.EXE
PID 788 wrote to memory of 1244	788	amawaq.exe	Explorer.EXE
PID 788 wrote to memory of 1244	788	amawaq.exe	Explorer.EXE
PID 788 wrote to memory of 872	788	amawaq.exe	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
PID 788 wrote to memory of 872	788	amawaq.exe	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
PID 788 wrote to memory of 872	788	amawaq.exe	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
PID 788 wrote to memory of 872	788	amawaq.exe	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
PID 788 wrote to memory of 872	788	amawaq.exe	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe
PID 872 wrote to memory of 684	872	d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe
"C:\Users\Admin\AppData\Local\Temp\d2501f9f10dfb0405ef83d04f238635706f004495d58e5fc23356f8c2d3e49e2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe
"C:\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ATWCCBD.bat"
3⤵
- Deletes itself
PID:684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ATWCCBD.bat
Filesize
303B

MD5
ce44fa60c5d534c413276215d34e4904

SHA1
38974cee8006ad13daabec59195609823c9c6db5

SHA256
1e606d774515c4064c2e6c1074e86f9f871d4e5e87a33abd00246af6ad30a5ad

SHA512
53d2908cf93c19f9c4375e825337b896fb2b11a83f4d126e0efcfbeaa6434bb124a622350f71d635005f408a98db6069765cffda207b95bb8ccb345e3295d346

Download Submit
C:\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe
Filesize
304KB

MD5
902398d60c2a1f7fc1aca9f15bacd295

SHA1
86bffc1428c15a870bace70fe1a361b2fe4d6fc1

SHA256
2e323d1ca615c31a1e01408d6e6b51c6d795653934e030782a635e2e266878dc

SHA512
68e69026859b67d4a2f87a2a038e2410c5bb724a138e63e4bbed05b7d2a839e93b755bf4f759b3f820ebd0e88f6cc936c142b15344ee8417881e9499bf1dee2e

Download Submit
C:\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe
Filesize
304KB

MD5
902398d60c2a1f7fc1aca9f15bacd295

SHA1
86bffc1428c15a870bace70fe1a361b2fe4d6fc1

SHA256
2e323d1ca615c31a1e01408d6e6b51c6d795653934e030782a635e2e266878dc

SHA512
68e69026859b67d4a2f87a2a038e2410c5bb724a138e63e4bbed05b7d2a839e93b755bf4f759b3f820ebd0e88f6cc936c142b15344ee8417881e9499bf1dee2e

Download Submit
\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe
Filesize
304KB

MD5
902398d60c2a1f7fc1aca9f15bacd295

SHA1
86bffc1428c15a870bace70fe1a361b2fe4d6fc1

SHA256
2e323d1ca615c31a1e01408d6e6b51c6d795653934e030782a635e2e266878dc

SHA512
68e69026859b67d4a2f87a2a038e2410c5bb724a138e63e4bbed05b7d2a839e93b755bf4f759b3f820ebd0e88f6cc936c142b15344ee8417881e9499bf1dee2e

Download Submit
\Users\Admin\AppData\Roaming\Iwpyer\amawaq.exe
Filesize
304KB

MD5
902398d60c2a1f7fc1aca9f15bacd295

SHA1
86bffc1428c15a870bace70fe1a361b2fe4d6fc1

SHA256
2e323d1ca615c31a1e01408d6e6b51c6d795653934e030782a635e2e266878dc

SHA512
68e69026859b67d4a2f87a2a038e2410c5bb724a138e63e4bbed05b7d2a839e93b755bf4f759b3f820ebd0e88f6cc936c142b15344ee8417881e9499bf1dee2e

Download Submit
memory/684-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/684-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/684-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/684-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/684-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/684-102-0x0000000000083B6A-mapping.dmp

Download
memory/684-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/788-59-0x0000000000000000-mapping.dmp

Download
memory/788-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/872-86-0x0000000001E20000-0x0000000001E69000-memory.dmp

Filesize
292KB

Download
memory/872-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/872-87-0x0000000001E20000-0x0000000001E69000-memory.dmp

Filesize
292KB

Download
memory/872-85-0x0000000001E20000-0x0000000001E69000-memory.dmp

Filesize
292KB

Download
memory/872-88-0x0000000001E20000-0x0000000001E69000-memory.dmp

Filesize
292KB

Download
memory/872-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-103-0x0000000001E20000-0x0000000001E69000-memory.dmp

Filesize
292KB

Download
memory/872-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/872-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/872-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1128-65-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/1128-67-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/1128-68-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/1128-70-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/1128-69-0x0000000000300000-0x0000000000349000-memory.dmp

Filesize
292KB

Download
memory/1188-73-0x0000000001AD0000-0x0000000001B19000-memory.dmp

Filesize
292KB

Download
memory/1188-74-0x0000000001AD0000-0x0000000001B19000-memory.dmp

Filesize
292KB

Download
memory/1188-75-0x0000000001AD0000-0x0000000001B19000-memory.dmp

Filesize
292KB

Download
memory/1188-76-0x0000000001AD0000-0x0000000001B19000-memory.dmp

Filesize
292KB

Download
memory/1244-82-0x00000000029E0000-0x0000000002A29000-memory.dmp

Filesize
292KB

Download
memory/1244-79-0x00000000029E0000-0x0000000002A29000-memory.dmp

Filesize
292KB

Download
memory/1244-80-0x00000000029E0000-0x0000000002A29000-memory.dmp

Filesize
292KB

Download
memory/1244-81-0x00000000029E0000-0x0000000002A29000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads