c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe
Size

509KB
MD5

f204e299cbfbfe1634e9027f91071a36
SHA1

5483848741d191789131d9e399862b13bdfade50
SHA256

c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b
SHA512

31648706b3da42a8f068efed80113d480e7ad709bc009ea79f142ce87a7d476eaf803651c3f67850d62ddba5c27ecb52c70db85379c4d13e236b58dd38919387
SSDEEP

6144:oKWnSagcHlT3xXlaOcmTo+ujGnA7vDCt3U8HRT6nWN:oKWSTcF7rFm0yCpRT6nQ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1456	quul.exe
524	quul.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	quul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nemaogamef = "C:\\Users\\Admin\\AppData\\Roaming\\Ibuq\\quul.exe"	quul.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4728 set thread context of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 1456 set thread context of 524	1456	quul.exe	84

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe
524	quul.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe
Token: SeSecurityPrivilege	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe
1456	quul.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 4728 wrote to memory of 3044	4728	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	82
PID 3044 wrote to memory of 1456	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	83
PID 3044 wrote to memory of 1456	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	83
PID 3044 wrote to memory of 1456	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	83
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 1456 wrote to memory of 524	1456	quul.exe	84
PID 3044 wrote to memory of 1812	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	85
PID 3044 wrote to memory of 1812	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	85
PID 3044 wrote to memory of 1812	3044	c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe	85
PID 524 wrote to memory of 2256	524	quul.exe	53
PID 524 wrote to memory of 2256	524	quul.exe	53
PID 524 wrote to memory of 2256	524	quul.exe	53
PID 524 wrote to memory of 2256	524	quul.exe	53
PID 524 wrote to memory of 2256	524	quul.exe	53
PID 524 wrote to memory of 2268	524	quul.exe	52
PID 524 wrote to memory of 2268	524	quul.exe	52
PID 524 wrote to memory of 2268	524	quul.exe	52
PID 524 wrote to memory of 2268	524	quul.exe	52
PID 524 wrote to memory of 2268	524	quul.exe	52
PID 524 wrote to memory of 2376	524	quul.exe	51
PID 524 wrote to memory of 2376	524	quul.exe	51
PID 524 wrote to memory of 2376	524	quul.exe	51
PID 524 wrote to memory of 2376	524	quul.exe	51
PID 524 wrote to memory of 2376	524	quul.exe	51
PID 524 wrote to memory of 3004	524	quul.exe	40
PID 524 wrote to memory of 3004	524	quul.exe	40
PID 524 wrote to memory of 3004	524	quul.exe	40
PID 524 wrote to memory of 3004	524	quul.exe	40
PID 524 wrote to memory of 3004	524	quul.exe	40
PID 524 wrote to memory of 684	524	quul.exe	39
PID 524 wrote to memory of 684	524	quul.exe	39
PID 524 wrote to memory of 684	524	quul.exe	39
PID 524 wrote to memory of 684	524	quul.exe	39
PID 524 wrote to memory of 684	524	quul.exe	39
PID 524 wrote to memory of 3208	524	quul.exe	38
PID 524 wrote to memory of 3208	524	quul.exe	38
PID 524 wrote to memory of 3208	524	quul.exe	38
PID 524 wrote to memory of 3208	524	quul.exe	38
PID 524 wrote to memory of 3208	524	quul.exe	38
PID 524 wrote to memory of 3300	524	quul.exe	37
PID 524 wrote to memory of 3300	524	quul.exe	37
PID 524 wrote to memory of 3300	524	quul.exe	37
PID 524 wrote to memory of 3300	524	quul.exe	37
PID 524 wrote to memory of 3300	524	quul.exe	37
PID 524 wrote to memory of 3360	524	quul.exe	36
PID 524 wrote to memory of 3360	524	quul.exe	36
PID 524 wrote to memory of 3360	524	quul.exe	36
PID 524 wrote to memory of 3360	524	quul.exe	36
PID 524 wrote to memory of 3360	524	quul.exe	36

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:2316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3004
- C:\Users\Admin\AppData\Local\Temp\c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe
  "C:\Users\Admin\AppData\Local\Temp\c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe
    "C:\Users\Admin\AppData\Local\Temp\c33819f3242447a700cbf637c86f1b17edc86dbf996e2111dc66d622fb081d7b.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe
      "C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe
        
        "C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4ae6942c.bat"
      4⤵
      PID:1812
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2384

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2268

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4ae6942c.bat

Filesize
307B

MD5
c3110a1ef2c9007a819d1b081f62fc33

SHA1
5e137143708451090323f28f2e01a358ac710893

SHA256
6e9c884ec0a700a9f247a1cf07a5a4ed5da197a8bd3242c7ed1bc2be7a068700

SHA512
b71bf78e7a1cd0d3c87ac0e964c25d384d3523066688fc2b14edf6e038f078d27447662f0e082593e5cde34dee717660eaa8c844844dd2de22908b9b0d25db1f

Download Submit
C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe

Filesize
509KB

MD5
034f38fa60e60343de7902822dc5757b

SHA1
60986fba0610c03fe671d68bf590140f89bea53b

SHA256
2e500000bf03791310edcc52d1035d0bd89a2f55b502f722d0af1f44b75657c3

SHA512
561a74ab8ba3ead106e2b438b8d186336b7cf2a30ea471f9249cb68b32cae69ebf7bcf4b2e6bf049fb3b7d50fbae372d96c6e03eecf53dcf4c25221f6858f8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe

Filesize
509KB

MD5
034f38fa60e60343de7902822dc5757b

SHA1
60986fba0610c03fe671d68bf590140f89bea53b

SHA256
2e500000bf03791310edcc52d1035d0bd89a2f55b502f722d0af1f44b75657c3

SHA512
561a74ab8ba3ead106e2b438b8d186336b7cf2a30ea471f9249cb68b32cae69ebf7bcf4b2e6bf049fb3b7d50fbae372d96c6e03eecf53dcf4c25221f6858f8f6

Download Submit
C:\Users\Admin\AppData\Roaming\Ibuq\quul.exe

Filesize
509KB

MD5
034f38fa60e60343de7902822dc5757b

SHA1
60986fba0610c03fe671d68bf590140f89bea53b

SHA256
2e500000bf03791310edcc52d1035d0bd89a2f55b502f722d0af1f44b75657c3

SHA512
561a74ab8ba3ead106e2b438b8d186336b7cf2a30ea471f9249cb68b32cae69ebf7bcf4b2e6bf049fb3b7d50fbae372d96c6e03eecf53dcf4c25221f6858f8f6

Download Submit
memory/524-151-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1812-150-0x0000000000DE0000-0x0000000000E1B000-memory.dmp

Filesize
236KB

Download
memory/3044-142-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3044-148-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3044-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download