5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d

Analysis

max time kernel
191s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe
Size

304KB
MD5

12a8d52eb022dbbb1e77ca86b4b3c460
SHA1

c82488f8c46024207d6e5634dd6aa3a166a99cd0
SHA256

5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d
SHA512

a01b3898a16c196402fb03ef1b49271043a67dcf5e716ab6bffcfcfc432dcd6ac4c39d8caa0a36b04a7ea96c88f80a80919c5c38530d8ece4935ba94808dfb27
SSDEEP

6144:ZX+qqNtZP4HQLOK5GoqgvO92BwXXyiWoWymv:hf+flqK4vgvO92BTuza

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	efefe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Efefe = "C:\\Users\\Admin\\AppData\\Roaming\\Aqqi\\efefe.exe"	efefe.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	efefe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2628 set thread context of 3780	2628	5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe	84

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe
1892	efefe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1892	2628	5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe	83
PID 2628 wrote to memory of 1892	2628	5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe	83
PID 2628 wrote to memory of 1892	2628	5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe	83
PID 1892 wrote to memory of 2752	1892	efefe.exe	21
PID 1892 wrote to memory of 2752	1892	efefe.exe	21
PID 1892 wrote to memory of 2752	1892	efefe.exe	21
PID 1892 wrote to memory of 2752	1892	efefe.exe	21
PID 1892 wrote to memory of 2752	1892	efefe.exe	21
PID 1892 wrote to memory of 2776	1892	efefe.exe	49
PID 1892 wrote to memory of 2776	1892	efefe.exe	49
PID 1892 wrote to memory of 2776	1892	efefe.exe	49
PID 1892 wrote to memory of 2776	1892	efefe.exe	49
PID 1892 wrote to memory of 2776	1892	efefe.exe	49
PID 1892 wrote to memory of 2868	1892	efefe.exe	48
PID 1892 wrote to memory of 2868	1892	efefe.exe	48
PID 1892 wrote to memory of 2868	1892	efefe.exe	48
PID 1892 wrote to memory of 2868	1892	efefe.exe	48
PID 1892 wrote to memory of 2868	1892	efefe.exe	48
PID 1892 wrote to memory of 1108	1892	efefe.exe	46
PID 1892 wrote to memory of 1108	1892	efefe.exe	46
PID 1892 wrote to memory of 1108	1892	efefe.exe	46
PID 1892 wrote to memory of 1108	1892	efefe.exe	46
PID 1892 wrote to memory of 1108	1892	efefe.exe	46
PID 1892 wrote to memory of 3088	1892	efefe.exe	45
PID 1892 wrote to memory of 3088	1892	efefe.exe	45
PID 1892 wrote to memory of 3088	1892	efefe.exe	45
PID 1892 wrote to memory of 3088	1892	efefe.exe	45
PID 1892 wrote to memory of 3088	1892	efefe.exe	45
PID 1892 wrote to memory of 3280	1892	efefe.exe	44
PID 1892 wrote to memory of 3280	1892	efefe.exe	44
PID 1892 wrote to memory of 3280	1892	efefe.exe	44
PID 1892 wrote to memory of 3280	1892	efefe.exe	44
PID 1892 wrote to memory of 3280	1892	efefe.exe	44
PID 1892 wrote to memory of 3380	1892	efefe.exe	43
PID 1892 wrote to memory of 3380	1892	efefe.exe	43
PID 1892 wrote to memory of 3380	1892	efefe.exe	43
PID 1892 wrote to memory of 3380	1892	efefe.exe	43
PID 1892 wrote to memory of 3380	1892	efefe.exe	43
PID 1892 wrote to memory of 3448	1892	efefe.exe	22
PID 1892 wrote to memory of 3448	1892	efefe.exe	22
PID 1892 wrote to memory of 3448	1892	efefe.exe	22
PID 1892 wrote to memory of 3448	1892	efefe.exe	22
PID 1892 wrote to memory of 3448	1892	efefe.exe	22
PID 1892 wrote to memory of 3532	1892	efefe.exe	42
PID 1892 wrote to memory of 3532	1892	efefe.exe	42
PID 1892 wrote to memory of 3532	1892	efefe.exe	42
PID 1892 wrote to memory of 3532	1892	efefe.exe	42
PID 1892 wrote to memory of 3532	1892	efefe.exe	42
PID 1892 wrote to memory of 3704	1892	efefe.exe	41
PID 1892 wrote to memory of 3704	1892	efefe.exe	41
PID 1892 wrote to memory of 3704	1892	efefe.exe	41
PID 1892 wrote to memory of 3704	1892	efefe.exe	41
PID 1892 wrote to memory of 3704	1892	efefe.exe	41
PID 1892 wrote to memory of 4120	1892	efefe.exe	25
PID 1892 wrote to memory of 4120	1892	efefe.exe	25
PID 1892 wrote to memory of 4120	1892	efefe.exe	25
PID 1892 wrote to memory of 4120	1892	efefe.exe	25
PID 1892 wrote to memory of 4120	1892	efefe.exe	25
PID 1892 wrote to memory of 2192	1892	efefe.exe	79
PID 1892 wrote to memory of 2192	1892	efefe.exe	79
PID 1892 wrote to memory of 2192	1892	efefe.exe	79
PID 1892 wrote to memory of 2192	1892	efefe.exe	79
PID 1892 wrote to memory of 2192	1892	efefe.exe	79
PID 1892 wrote to memory of 2628	1892	efefe.exe	81

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4120

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe
  "C:\Users\Admin\AppData\Local\Temp\5bd35d49fcf8ab2b7d85f10a6c932ac8e5471dd0404ee042c3a11dc17f3a081d.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Roaming\Aqqi\efefe.exe
    "C:\Users\Admin\AppData\Roaming\Aqqi\efefe.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\VOU9930.bat"
    3⤵
    PID:3780

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2192

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4520

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VOU9930.bat

Filesize
303B

MD5
0413e16cc479e366169f9fd5c3eeed2c

SHA1
2ea12848f58e80e809a06d5ca1392d700aef23a6

SHA256
7ff6d3109108677de36c20b18d47eb1ad653649274683ea83625ebecafc0e877

SHA512
d2b25bb857e69d6396568040998ad068856abe6825890d782a68d2fd9fbb2cb8ee1deefb631e869dfdf0ad3165685cdf03c8ee3ed841a31916404054583d8944

Download Submit
C:\Users\Admin\AppData\Roaming\Aqqi\efefe.exe

Filesize
304KB

MD5
17b98a82328fed6caae8c0261e28bbe8

SHA1
fb38eb41a9da780291217ef2898c2c01e4f840ce

SHA256
74167bf909b4d237b9b37dc74edf2c408f6090de63a4c203cdc4fe4546c9d55d

SHA512
8310364cf2ca4e162de6c65564ad11472d88cc855a89a975143077b650f0fa6e5dcd4ba1dfe551bbe0e8b03545e564ecb1625178cb61a2d35bd7ffad3b3fc6a6

Download Submit
C:\Users\Admin\AppData\Roaming\Aqqi\efefe.exe

Filesize
304KB

MD5
17b98a82328fed6caae8c0261e28bbe8

SHA1
fb38eb41a9da780291217ef2898c2c01e4f840ce

SHA256
74167bf909b4d237b9b37dc74edf2c408f6090de63a4c203cdc4fe4546c9d55d

SHA512
8310364cf2ca4e162de6c65564ad11472d88cc855a89a975143077b650f0fa6e5dcd4ba1dfe551bbe0e8b03545e564ecb1625178cb61a2d35bd7ffad3b3fc6a6

Download Submit
memory/1892-137-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2628-145-0x0000000002260000-0x00000000022A9000-memory.dmp

Filesize
292KB

Download
memory/2628-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-144-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2628-132-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2628-133-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/3780-147-0x0000000000540000-0x0000000000589000-memory.dmp

Filesize
292KB

Download
memory/3780-148-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3780-156-0x0000000000540000-0x0000000000589000-memory.dmp

Filesize
292KB

Download