dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2

Analysis

max time kernel
228s
max time network
318s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe
Size

324KB
MD5

0fc0d0aee5c2633fef43b31f2bfef116
SHA1

ed180b75303a69ac05d4fc5faeaeac8b1674ead4
SHA256

dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2
SHA512

c1cebb950601f211eb40145c5783dab639b044acb902012486c4a6f15f29c54d90413872fa911e1d3c8b849d6749f839b36a50c72f2e207bdbbb111841750ea9
SSDEEP

6144:wap2pOyKKiamaG+8A0TaKJ8rCw+Wt0dvOgDxcPkCNepRNfGv9:12T5mDlFJJw+WmOgAFolO1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1368	utqih.exe
1788	utqih.exe

Deletes itself 1 IoCs

pid	Process
1840	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe
1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\{E8A35E48-3774-AD4D-52EE-D422474DF73F} = "C:\\Users\\Admin\\AppData\\Roaming\\Mofyyd\\utqih.exe"	utqih.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\Currentversion\Run	utqih.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1368 set thread context of 1788	1368	utqih.exe	30

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe
1788	utqih.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1496 wrote to memory of 1492	1496	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	28
PID 1492 wrote to memory of 1368	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	29
PID 1492 wrote to memory of 1368	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	29
PID 1492 wrote to memory of 1368	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	29
PID 1492 wrote to memory of 1368	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	29
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1368 wrote to memory of 1788	1368	utqih.exe	30
PID 1788 wrote to memory of 1140	1788	utqih.exe	9
PID 1788 wrote to memory of 1140	1788	utqih.exe	9
PID 1788 wrote to memory of 1140	1788	utqih.exe	9
PID 1788 wrote to memory of 1140	1788	utqih.exe	9
PID 1788 wrote to memory of 1140	1788	utqih.exe	9
PID 1788 wrote to memory of 1180	1788	utqih.exe	18
PID 1788 wrote to memory of 1180	1788	utqih.exe	18
PID 1788 wrote to memory of 1180	1788	utqih.exe	18
PID 1788 wrote to memory of 1180	1788	utqih.exe	18
PID 1788 wrote to memory of 1180	1788	utqih.exe	18
PID 1788 wrote to memory of 1244	1788	utqih.exe	17
PID 1788 wrote to memory of 1244	1788	utqih.exe	17
PID 1788 wrote to memory of 1244	1788	utqih.exe	17
PID 1788 wrote to memory of 1244	1788	utqih.exe	17
PID 1788 wrote to memory of 1244	1788	utqih.exe	17
PID 1788 wrote to memory of 1492	1788	utqih.exe	28
PID 1788 wrote to memory of 1492	1788	utqih.exe	28
PID 1788 wrote to memory of 1492	1788	utqih.exe	28
PID 1788 wrote to memory of 1492	1788	utqih.exe	28
PID 1788 wrote to memory of 1492	1788	utqih.exe	28
PID 1788 wrote to memory of 1840	1788	utqih.exe	31
PID 1788 wrote to memory of 1840	1788	utqih.exe	31
PID 1788 wrote to memory of 1840	1788	utqih.exe	31
PID 1788 wrote to memory of 1840	1788	utqih.exe	31
PID 1788 wrote to memory of 1840	1788	utqih.exe	31
PID 1492 wrote to memory of 1840	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	31
PID 1492 wrote to memory of 1840	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	31
PID 1492 wrote to memory of 1840	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	31
PID 1492 wrote to memory of 1840	1492	dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe	31
PID 1788 wrote to memory of 1456	1788	utqih.exe	32
PID 1788 wrote to memory of 1456	1788	utqih.exe	32
PID 1788 wrote to memory of 1456	1788	utqih.exe	32
PID 1788 wrote to memory of 1456	1788	utqih.exe	32
PID 1788 wrote to memory of 1456	1788	utqih.exe	32

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe
"C:\Users\Admin\AppData\Local\Temp\dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe
  "C:\Users\Admin\AppData\Local\Temp\dc431a309748f028a092c85a0d287e6daa6aeb509a6e364007810c5c8831a0c2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe
    "C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe
      "C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp481f6d8b.bat"
    3⤵
    - Deletes itself
    PID:1840

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "678023872-2112284086-649031255-228629989557026661190053746-704530034-1646644192"
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp481f6d8b.bat

Filesize
307B

MD5
6385c62cdf42764350b4c5b57a3f1459

SHA1
4bdbe6f8a21b8fcf152c92255af68899eed240ab

SHA256
5cdb381813f968b53c2ce877880634f76d9030a383120586273c72bb8ad80c0c

SHA512
62feb22102b9ec68ceed70517d576d83f44dc41292bdaa354a862b7f03c9ab45a827e328a1cb0a1e7fcfeccf2bda5bae255b4f097c6aab2090a82da40716ae34

Download Submit
C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe

Filesize
324KB

MD5
a938a0c5beec2de703576a2a1d918309

SHA1
dbc3750a6c625edb4e7a6cef6d1d0e97b0c048bd

SHA256
a7fbd5cd1633e057a2e5563f58630f93dd18e9a26433277b3cbe111f174cd1a1

SHA512
f7d9565d1ee656a6ef9e873757636958507589fe115a7fb84f577f2c08e26ec8cd50830bcef164a245f26b4f5dd026c168eae04082a71bb4018d318c8dd1b2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe

Filesize
324KB

MD5
a938a0c5beec2de703576a2a1d918309

SHA1
dbc3750a6c625edb4e7a6cef6d1d0e97b0c048bd

SHA256
a7fbd5cd1633e057a2e5563f58630f93dd18e9a26433277b3cbe111f174cd1a1

SHA512
f7d9565d1ee656a6ef9e873757636958507589fe115a7fb84f577f2c08e26ec8cd50830bcef164a245f26b4f5dd026c168eae04082a71bb4018d318c8dd1b2bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe

Filesize
324KB

MD5
a938a0c5beec2de703576a2a1d918309

SHA1
dbc3750a6c625edb4e7a6cef6d1d0e97b0c048bd

SHA256
a7fbd5cd1633e057a2e5563f58630f93dd18e9a26433277b3cbe111f174cd1a1

SHA512
f7d9565d1ee656a6ef9e873757636958507589fe115a7fb84f577f2c08e26ec8cd50830bcef164a245f26b4f5dd026c168eae04082a71bb4018d318c8dd1b2bb

Download Submit
\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe

Filesize
324KB

MD5
a938a0c5beec2de703576a2a1d918309

SHA1
dbc3750a6c625edb4e7a6cef6d1d0e97b0c048bd

SHA256
a7fbd5cd1633e057a2e5563f58630f93dd18e9a26433277b3cbe111f174cd1a1

SHA512
f7d9565d1ee656a6ef9e873757636958507589fe115a7fb84f577f2c08e26ec8cd50830bcef164a245f26b4f5dd026c168eae04082a71bb4018d318c8dd1b2bb

Download Submit
\Users\Admin\AppData\Roaming\Mofyyd\utqih.exe

Filesize
324KB

MD5
a938a0c5beec2de703576a2a1d918309

SHA1
dbc3750a6c625edb4e7a6cef6d1d0e97b0c048bd

SHA256
a7fbd5cd1633e057a2e5563f58630f93dd18e9a26433277b3cbe111f174cd1a1

SHA512
f7d9565d1ee656a6ef9e873757636958507589fe115a7fb84f577f2c08e26ec8cd50830bcef164a245f26b4f5dd026c168eae04082a71bb4018d318c8dd1b2bb

Download Submit
memory/1140-88-0x0000000001D50000-0x0000000001D9C000-memory.dmp

Filesize
304KB

Download
memory/1140-91-0x0000000001D50000-0x0000000001D9C000-memory.dmp

Filesize
304KB

Download
memory/1140-90-0x0000000001D50000-0x0000000001D9C000-memory.dmp

Filesize
304KB

Download
memory/1140-89-0x0000000001D50000-0x0000000001D9C000-memory.dmp

Filesize
304KB

Download
memory/1180-97-0x0000000001B30000-0x0000000001B7C000-memory.dmp

Filesize
304KB

Download
memory/1180-94-0x0000000001B30000-0x0000000001B7C000-memory.dmp

Filesize
304KB

Download
memory/1180-96-0x0000000001B30000-0x0000000001B7C000-memory.dmp

Filesize
304KB

Download
memory/1180-95-0x0000000001B30000-0x0000000001B7C000-memory.dmp

Filesize
304KB

Download
memory/1244-101-0x0000000002B50000-0x0000000002B9C000-memory.dmp

Filesize
304KB

Download
memory/1244-100-0x0000000002B50000-0x0000000002B9C000-memory.dmp

Filesize
304KB

Download
memory/1244-103-0x0000000002B50000-0x0000000002B9C000-memory.dmp

Filesize
304KB

Download
memory/1244-102-0x0000000002B50000-0x0000000002B9C000-memory.dmp

Filesize
304KB

Download
memory/1368-72-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1368-84-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1456-128-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download
memory/1492-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-109-0x0000000001F30000-0x0000000001F7C000-memory.dmp

Filesize
304KB

Download
memory/1492-71-0x0000000001F30000-0x0000000001F89000-memory.dmp

Filesize
356KB

Download
memory/1492-70-0x0000000001F30000-0x0000000001F89000-memory.dmp

Filesize
356KB

Download
memory/1492-55-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-54-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-64-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1492-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-58-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-106-0x0000000001F30000-0x0000000001F7C000-memory.dmp

Filesize
304KB

Download
memory/1492-107-0x0000000001F30000-0x0000000001F7C000-memory.dmp

Filesize
304KB

Download
memory/1492-108-0x0000000001F30000-0x0000000001F7C000-memory.dmp

Filesize
304KB

Download
memory/1492-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-122-0x0000000001F30000-0x0000000001F7C000-memory.dmp

Filesize
304KB

Download
memory/1492-111-0x0000000001F30000-0x0000000001F89000-memory.dmp

Filesize
356KB

Download
memory/1492-112-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-120-0x0000000001F30000-0x0000000001F89000-memory.dmp

Filesize
356KB

Download
memory/1496-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1788-119-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1788-110-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-116-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download
memory/1840-117-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download
memory/1840-118-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download
memory/1840-115-0x00000000000C0000-0x000000000010C000-memory.dmp

Filesize
304KB

Download