e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e

Analysis

max time kernel
101s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
Size

188KB
MD5

5f92d2a0b70adc54440c17e7c85c3fe1
SHA1

5b57ed2e2f8bfc4a1ab05caf77e140e4801fc361
SHA256

e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e
SHA512

70f8d0c596ad8371295eab09923bfe30b7136a2775ec429eb8fe64e9555b8f9da806502e8bd48c392ccd8df65dd472993e50c3dcabd47cca5c21f367a7d00522
SSDEEP

3072:DC2lIAIHRgD6d9QpgVZ87K02vdCfEgllBZs9kVQp7KO+RTv+fLPcf0a931kQ7:DNXager4iZL02vIM0Zs2epd+5Gsj31N

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1328	maomao.exe
268	qiuqiu.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Loads dropped DLL 9 IoCs

pid	Process
1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
1328	maomao.exe
1328	maomao.exe
1328	maomao.exe
1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
268	qiuqiu.exe
268	qiuqiu.exe
268	qiuqiu.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\maomao.exe	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
File created	C:\Program Files\Common Files\qiuqi1.dll	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
File created	C:\Program Files\Common Files\qiuqi1.bat	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}	qiuqiu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32\ = "C:\\Program Files\\Common Files\\qiuqi1.dll"	qiuqiu.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 1328	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	28
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 1812 wrote to memory of 268	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	29
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 268 wrote to memory of 1964	268	qiuqiu.exe	32
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31
PID 1812 wrote to memory of 1728	1812	e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe	31

C:\Users\Admin\AppData\Local\Temp\e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe
"C:\Users\Admin\AppData\Local\Temp\e0be18a5f5855bf4a0a6b68eb677592d74a32fbddd00b7da83346fad9f6b235e.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files\Common Files\maomao.exe
  "C:\Program Files\Common Files\maomao.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1328
- C:\Documents and Settings\qiuqiu.exe
  "C:\Documents and Settings\qiuqiu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\DOCUME~1\qiuqiu.exe
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\E0BE18~1.EXE
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
C:\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
C:\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
C:\Users\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
bda8a86d2651bdd5b2e22263c99ffd2a

SHA1
54f1299e0197b60ad42501082090954f31d8d280

SHA256
5b812d0dbb094fba32a2bdf548f23de18b1801460593c69891e07f6de8c22cca

SHA512
850a7e40ada0de1ebbcd879d28b01519e72d451a87848dd90affd33855a4b35d922b022e71a11988dc98f3ea64211f021cdb5e4ff5203a78dbdfc7178acbbd0b

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
04a223ce4e3e5d056b968b1ae7c6aa9d

SHA1
773b14ab542eb7138cc423c8e94e5f3e675e2d23

SHA256
8fd2b213dc0f86aaeeecdb90e828b1d66e04b91b4f6aaf6ffb086b761430ec8e

SHA512
77a17583b0a1ab403bf0c412bb71076705a5cdc619dbd264464d0cdbf406c32967c708c932b405e1281c78549436377b31c021623e67a05ac182d980cfea011d

Download Submit
memory/268-85-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/268-87-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1328-75-0x0000000000020000-0x000000000002B000-memory.dmp

Filesize
44KB

Download
memory/1328-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1812-58-0x00000000008B0000-0x00000000008F9000-memory.dmp

Filesize
292KB

Download
memory/1812-56-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1812-59-0x00000000008B0000-0x00000000008F9000-memory.dmp

Filesize
292KB

Download
memory/1812-70-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1812-54-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1812-83-0x00000000003E0000-0x00000000003E6000-memory.dmp

Filesize
24KB

Download
memory/1812-57-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1812-73-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/1812-55-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1812-89-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1812-90-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1812-60-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/1812-61-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1812-62-0x00000000008B0000-0x00000000008F9000-memory.dmp

Filesize
292KB

Download