fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b

General

Target

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
Size

354KB
MD5

bf739ec9836929fd5f184c058a964c80
SHA1

5dd0d75872291ef0072f97b4ed74408f9e9aedf1
SHA256

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b
SHA512

76e261a4d8c89de62f96d642381269a7a55fbf8950e104b1a727e37456a2d12eb5fb629f762dc4500e02858f7732e8e18000970b06e2ec32897264973e1615ad
SSDEEP

6144:TtKn+Y6Helr0DXe2VxXr5pyLoyn25pW6bacHO4lJen:Tk6HelreLxXdpyNcplWcHllJO

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qyam.exe

pid process

1640 qyam.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1536 cmd.exe

pid	process
1536	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe

pid	process
1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qyam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Kitome\\qyam.exe"	qyam.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	qyam.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe

description	pid	process	target process
PID 1168 set thread context of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

qyam.exe

pid	process
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe
1640	qyam.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exeqyam.exe

pid process

1168 fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
1640 qyam.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exeqyam.exe

description	pid	process	target process
PID 1168 wrote to memory of 1640	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	qyam.exe
PID 1168 wrote to memory of 1640	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	qyam.exe
PID 1168 wrote to memory of 1640	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	qyam.exe
PID 1168 wrote to memory of 1640	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	qyam.exe
PID 1640 wrote to memory of 1132	1640	qyam.exe	taskhost.exe
PID 1640 wrote to memory of 1132	1640	qyam.exe	taskhost.exe
PID 1640 wrote to memory of 1132	1640	qyam.exe	taskhost.exe
PID 1640 wrote to memory of 1132	1640	qyam.exe	taskhost.exe
PID 1640 wrote to memory of 1132	1640	qyam.exe	taskhost.exe
PID 1640 wrote to memory of 1232	1640	qyam.exe	Dwm.exe
PID 1640 wrote to memory of 1232	1640	qyam.exe	Dwm.exe
PID 1640 wrote to memory of 1232	1640	qyam.exe	Dwm.exe
PID 1640 wrote to memory of 1232	1640	qyam.exe	Dwm.exe
PID 1640 wrote to memory of 1232	1640	qyam.exe	Dwm.exe
PID 1640 wrote to memory of 1304	1640	qyam.exe	Explorer.EXE
PID 1640 wrote to memory of 1304	1640	qyam.exe	Explorer.EXE
PID 1640 wrote to memory of 1304	1640	qyam.exe	Explorer.EXE
PID 1640 wrote to memory of 1304	1640	qyam.exe	Explorer.EXE
PID 1640 wrote to memory of 1304	1640	qyam.exe	Explorer.EXE
PID 1640 wrote to memory of 1168	1640	qyam.exe	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
PID 1640 wrote to memory of 1168	1640	qyam.exe	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
PID 1640 wrote to memory of 1168	1640	qyam.exe	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
PID 1640 wrote to memory of 1168	1640	qyam.exe	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
PID 1640 wrote to memory of 1168	1640	qyam.exe	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe
PID 1168 wrote to memory of 1536	1168	fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe
"C:\Users\Admin\AppData\Local\Temp\fbab856b738109bb0ece8d46e7424dafe2b504612b25cf2b9fc1aec569151a4b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Roaming\Kitome\qyam.exe
"C:\Users\Admin\AppData\Roaming\Kitome\qyam.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpc062088e.bat"
3⤵
- Deletes itself
PID:1536

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpc062088e.bat

Filesize
307B

MD5
a92b8a792db400a0f2e1a68795851d22

SHA1
582dc7d318960d8ecd46bea0d68a04e9cc16d673

SHA256
64d47da98d47552517b2468a1d8af2e6b28c116ae77ef3d55fbdf27e4a721795

SHA512
ea49146277c3b894623dbbd68a831f72a9fdcb321d62340ebd743ca95c824b91e9e18a35ee6dba25c94ea720dc8ba006d4464de92c141eca91a918a14b2c1c0d

Download Submit
C:\Users\Admin\AppData\Roaming\Kitome\qyam.exe

Filesize
354KB

MD5
1411a6b1352d643b4620355f57144db6

SHA1
3e0a1e875346e8acd8523766aa513cc71e69acf6

SHA256
8b61e2ce3486cf37acf15dcc0154c7d35b33bd7caa86ad6de1ba7ce0451763d8

SHA512
9340d4ed2e7f855d30187b3af1ef522099a3bd9ec045a39d0e4c001a4562f85cfb44e5c8b642fed8d77996d742439f46f0298962f339d295fa575a9a8e0a356f

Download Submit
C:\Users\Admin\AppData\Roaming\Kitome\qyam.exe

Filesize
354KB

MD5
1411a6b1352d643b4620355f57144db6

SHA1
3e0a1e875346e8acd8523766aa513cc71e69acf6

SHA256
8b61e2ce3486cf37acf15dcc0154c7d35b33bd7caa86ad6de1ba7ce0451763d8

SHA512
9340d4ed2e7f855d30187b3af1ef522099a3bd9ec045a39d0e4c001a4562f85cfb44e5c8b642fed8d77996d742439f46f0298962f339d295fa575a9a8e0a356f

Download Submit
\Users\Admin\AppData\Roaming\Kitome\qyam.exe

Filesize
354KB

MD5
1411a6b1352d643b4620355f57144db6

SHA1
3e0a1e875346e8acd8523766aa513cc71e69acf6

SHA256
8b61e2ce3486cf37acf15dcc0154c7d35b33bd7caa86ad6de1ba7ce0451763d8

SHA512
9340d4ed2e7f855d30187b3af1ef522099a3bd9ec045a39d0e4c001a4562f85cfb44e5c8b642fed8d77996d742439f46f0298962f339d295fa575a9a8e0a356f

Download Submit
\Users\Admin\AppData\Roaming\Kitome\qyam.exe

Filesize
354KB

MD5
1411a6b1352d643b4620355f57144db6

SHA1
3e0a1e875346e8acd8523766aa513cc71e69acf6

SHA256
8b61e2ce3486cf37acf15dcc0154c7d35b33bd7caa86ad6de1ba7ce0451763d8

SHA512
9340d4ed2e7f855d30187b3af1ef522099a3bd9ec045a39d0e4c001a4562f85cfb44e5c8b642fed8d77996d742439f46f0298962f339d295fa575a9a8e0a356f

Download Submit
memory/1132-67-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1132-66-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1132-68-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1132-63-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1132-65-0x0000000001C60000-0x0000000001CA4000-memory.dmp

Filesize
272KB

Download
memory/1168-95-0x0000000000380000-0x00000000003CF000-memory.dmp

Filesize
316KB

Download
memory/1168-84-0x00000000004E0000-0x0000000000524000-memory.dmp

Filesize
272KB

Download
memory/1168-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-94-0x0000000000330000-0x0000000000374000-memory.dmp

Filesize
272KB

Download
memory/1168-96-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1168-100-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-102-0x00000000004E0000-0x0000000000524000-memory.dmp

Filesize
272KB

Download
memory/1168-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1168-86-0x00000000004E0000-0x0000000000524000-memory.dmp

Filesize
272KB

Download
memory/1168-85-0x00000000004E0000-0x0000000000524000-memory.dmp

Filesize
272KB

Download
memory/1168-83-0x00000000004E0000-0x0000000000524000-memory.dmp

Filesize
272KB

Download
memory/1232-74-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1232-72-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1232-73-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1232-71-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/1304-80-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1304-79-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1304-78-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1304-77-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1536-89-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1536-93-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1536-98-0x00000000000638F8-mapping.dmp

Download
memory/1536-92-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1536-91-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1536-105-0x0000000000050000-0x0000000000094000-memory.dmp

Filesize
272KB

Download
memory/1640-97-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1640-99-0x0000000000370000-0x00000000003BF000-memory.dmp

Filesize
316KB

Download
memory/1640-101-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1640-59-0x0000000000000000-mapping.dmp

Download
memory/1640-106-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads