00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 14:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe
Size

303KB
MD5

343c424e1583ef0c5fc705028e5f21c0
SHA1

406549f839ec9217ffb5c4707a9e8886bdcebd14
SHA256

00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0
SHA512

fc66808713d0521afb7ea443d563ccb4657e8120684e84e5be4094c9b312d690b2c15deb320dcb4052eb09ca7a4618feee2fcc456c0aabf6e38ace6c764c6a88
SSDEEP

6144:vEqtgMxcJUHMknMIDWUHMgmNVWSMtx2c8gdE3Z2rQDyk6x:vEqtgMGJwM6MIvjmNRMn2cRTk5W

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	qaem.exe

Deletes itself 1 IoCs

pid	Process
1784	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe
1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qaem = "C:\\Users\\Admin\\AppData\\Roaming\\Ezycta\\qaem.exe"	qaem.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	qaem.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe
1644	qaem.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1644	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	26
PID 1452 wrote to memory of 1644	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	26
PID 1452 wrote to memory of 1644	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	26
PID 1452 wrote to memory of 1644	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	26
PID 1644 wrote to memory of 1132	1644	qaem.exe	16
PID 1644 wrote to memory of 1132	1644	qaem.exe	16
PID 1644 wrote to memory of 1132	1644	qaem.exe	16
PID 1644 wrote to memory of 1132	1644	qaem.exe	16
PID 1644 wrote to memory of 1132	1644	qaem.exe	16
PID 1644 wrote to memory of 1236	1644	qaem.exe	15
PID 1644 wrote to memory of 1236	1644	qaem.exe	15
PID 1644 wrote to memory of 1236	1644	qaem.exe	15
PID 1644 wrote to memory of 1236	1644	qaem.exe	15
PID 1644 wrote to memory of 1236	1644	qaem.exe	15
PID 1644 wrote to memory of 1268	1644	qaem.exe	13
PID 1644 wrote to memory of 1268	1644	qaem.exe	13
PID 1644 wrote to memory of 1268	1644	qaem.exe	13
PID 1644 wrote to memory of 1268	1644	qaem.exe	13
PID 1644 wrote to memory of 1268	1644	qaem.exe	13
PID 1644 wrote to memory of 1452	1644	qaem.exe	14
PID 1644 wrote to memory of 1452	1644	qaem.exe	14
PID 1644 wrote to memory of 1452	1644	qaem.exe	14
PID 1644 wrote to memory of 1452	1644	qaem.exe	14
PID 1644 wrote to memory of 1452	1644	qaem.exe	14
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27
PID 1452 wrote to memory of 1784	1452	00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe	27

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe
  "C:\Users\Admin\AppData\Local\Temp\00a7e6fd8384a8ad8efa60785da8809299732d424dfd5a74ccfc52ea9d8dd7e0.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Ezycta\qaem.exe
    "C:\Users\Admin\AppData\Roaming\Ezycta\qaem.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ZYECD1.bat"
    3⤵
    - Deletes itself
    PID:1784

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZYECD1.bat

Filesize
302B

MD5
6b4b448bf3982384c8cb5fcf13b47d6e

SHA1
16538ec9b2513758ecfa4d8c966dd3b269d12a4e

SHA256
7081eebad972818950f106f35ea6eae4e9f4d812456d53ff5fa4a52621fa9e60

SHA512
3a040a900e767d191630f841a1f3d4482a3382bf320c9711ab5dfe8b6871bbf474dbe128c0cf20f83c38451fe3f9b4002d221c4c2def7afea6bd76a95434991e

Download Submit
C:\Users\Admin\AppData\Roaming\Ezycta\qaem.exe

Filesize
303KB

MD5
b7396c8c04e7952cd38cf10d5820e184

SHA1
ed97a23f2824cc059592a1c17045925312c79b0b

SHA256
8fee846cd67ec3c49b5d945cd010bf6ef92036f16e2f1ef7e20e4401e1b169d5

SHA512
6447184047fe58964d480103ddd547c38ba5e0a7970a3f25e64dbdf0aebfa52039ccbc0785a7641f964e28a41203deb9ae813ecbd2205d1367de0b0ff55a21a2

Download Submit
C:\Users\Admin\AppData\Roaming\Ezycta\qaem.exe

Filesize
303KB

MD5
b7396c8c04e7952cd38cf10d5820e184

SHA1
ed97a23f2824cc059592a1c17045925312c79b0b

SHA256
8fee846cd67ec3c49b5d945cd010bf6ef92036f16e2f1ef7e20e4401e1b169d5

SHA512
6447184047fe58964d480103ddd547c38ba5e0a7970a3f25e64dbdf0aebfa52039ccbc0785a7641f964e28a41203deb9ae813ecbd2205d1367de0b0ff55a21a2

Download Submit
\Users\Admin\AppData\Roaming\Ezycta\qaem.exe

Filesize
303KB

MD5
b7396c8c04e7952cd38cf10d5820e184

SHA1
ed97a23f2824cc059592a1c17045925312c79b0b

SHA256
8fee846cd67ec3c49b5d945cd010bf6ef92036f16e2f1ef7e20e4401e1b169d5

SHA512
6447184047fe58964d480103ddd547c38ba5e0a7970a3f25e64dbdf0aebfa52039ccbc0785a7641f964e28a41203deb9ae813ecbd2205d1367de0b0ff55a21a2

Download Submit
\Users\Admin\AppData\Roaming\Ezycta\qaem.exe

Filesize
303KB

MD5
b7396c8c04e7952cd38cf10d5820e184

SHA1
ed97a23f2824cc059592a1c17045925312c79b0b

SHA256
8fee846cd67ec3c49b5d945cd010bf6ef92036f16e2f1ef7e20e4401e1b169d5

SHA512
6447184047fe58964d480103ddd547c38ba5e0a7970a3f25e64dbdf0aebfa52039ccbc0785a7641f964e28a41203deb9ae813ecbd2205d1367de0b0ff55a21a2

Download Submit
memory/1132-69-0x0000000001D60000-0x0000000001DA9000-memory.dmp

Filesize
292KB

Download
memory/1132-65-0x0000000001D60000-0x0000000001DA9000-memory.dmp

Filesize
292KB

Download
memory/1132-67-0x0000000001D60000-0x0000000001DA9000-memory.dmp

Filesize
292KB

Download
memory/1132-68-0x0000000001D60000-0x0000000001DA9000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001D60000-0x0000000001DA9000-memory.dmp

Filesize
292KB

Download
memory/1236-73-0x00000000019E0000-0x0000000001A29000-memory.dmp

Filesize
292KB

Download
memory/1236-74-0x00000000019E0000-0x0000000001A29000-memory.dmp

Filesize
292KB

Download
memory/1236-75-0x00000000019E0000-0x0000000001A29000-memory.dmp

Filesize
292KB

Download
memory/1236-76-0x00000000019E0000-0x0000000001A29000-memory.dmp

Filesize
292KB

Download
memory/1268-81-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1268-82-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1268-80-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1268-79-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1452-88-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1452-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1452-56-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1452-86-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1452-85-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1452-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1452-87-0x0000000001DB0000-0x0000000001DF9000-memory.dmp

Filesize
292KB

Download
memory/1452-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-103-0x0000000001DB0000-0x0000000001DFE000-memory.dmp

Filesize
312KB

Download
memory/1452-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1452-114-0x0000000001DB0000-0x0000000001DFE000-memory.dmp

Filesize
312KB

Download
memory/1644-62-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1784-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1784-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1784-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1784-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1784-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1784-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download