ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe
Size

307KB
MD5

a0d21b621ec55a796199188c1538d757
SHA1

fb40f64ea2ecf8656bf3336b8709fc1edebd2bce
SHA256

ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5
SHA512

c56b7849cc1349d7f4b15537fb3ab1d7f8e8d73dc1725f6ee75e94e4c77bd3e3887898ca8b2849abd841bfe9f8672d709e691c85faa5585aadd0255556a195fc
SSDEEP

6144:36kg9aRhVpgTNX9MZTgQBzzl/NcuFT6sDBF0LqOGe/03WS7SAOA:3GqUTNX9MRBzzl/Ncu0sWqOFOWUOA

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1548	qoku.exe

Deletes itself 1 IoCs

pid	Process
1364	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe
1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qoku = "C:\\Users\\Admin\\AppData\\Roaming\\Hyuv\\qoku.exe"	qoku.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	qoku.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1552 set thread context of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe
1548	qoku.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1548	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	26
PID 1552 wrote to memory of 1548	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	26
PID 1552 wrote to memory of 1548	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	26
PID 1552 wrote to memory of 1548	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	26
PID 1548 wrote to memory of 1132	1548	qoku.exe	9
PID 1548 wrote to memory of 1132	1548	qoku.exe	9
PID 1548 wrote to memory of 1132	1548	qoku.exe	9
PID 1548 wrote to memory of 1132	1548	qoku.exe	9
PID 1548 wrote to memory of 1132	1548	qoku.exe	9
PID 1548 wrote to memory of 1188	1548	qoku.exe	15
PID 1548 wrote to memory of 1188	1548	qoku.exe	15
PID 1548 wrote to memory of 1188	1548	qoku.exe	15
PID 1548 wrote to memory of 1188	1548	qoku.exe	15
PID 1548 wrote to memory of 1188	1548	qoku.exe	15
PID 1548 wrote to memory of 1220	1548	qoku.exe	14
PID 1548 wrote to memory of 1220	1548	qoku.exe	14
PID 1548 wrote to memory of 1220	1548	qoku.exe	14
PID 1548 wrote to memory of 1220	1548	qoku.exe	14
PID 1548 wrote to memory of 1220	1548	qoku.exe	14
PID 1548 wrote to memory of 1552	1548	qoku.exe	25
PID 1548 wrote to memory of 1552	1548	qoku.exe	25
PID 1548 wrote to memory of 1552	1548	qoku.exe	25
PID 1548 wrote to memory of 1552	1548	qoku.exe	25
PID 1548 wrote to memory of 1552	1548	qoku.exe	25
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27
PID 1552 wrote to memory of 1364	1552	ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe	27

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe
  "C:\Users\Admin\AppData\Local\Temp\ea0a8c5fa91a055f6a8056ef6a97717ef1feec1af6f4e07889ac92c8675cc1e5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Roaming\Hyuv\qoku.exe
    "C:\Users\Admin\AppData\Roaming\Hyuv\qoku.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\WTL8D4A.bat"
    3⤵
    - Deletes itself
    PID:1364

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WTL8D4A.bat

Filesize
303B

MD5
c753db5178d02bdfe23cd92c0dc36a42

SHA1
5fc4166da2411ca45aec9ad61ddac1a71ccbb3ed

SHA256
c1f5f1f4aa3a3868a31d2a574a517b29a6bb54e1ab78efeec90123864a662996

SHA512
679ee9a13d868269c0a5f643fb906189f69057761e9df2ddd3d1d4b2c0c75a06617264aa0e9be0b737504c8e4dab7f757c5df50da84f0112641bc16e2c500f38

Download Submit
C:\Users\Admin\AppData\Roaming\Hyuv\qoku.exe

Filesize
307KB

MD5
41d425068e4511ecde0cef7e3005f674

SHA1
adb68aee63fc1be597fef9bb01107bea6488170f

SHA256
66e76e1a10ea4cc2155f80b9699a38bd6d6843ffb15b97015e54ff60eb805935

SHA512
67320cf63fc258b2de3c8fe2003edb26986b71ba0883d730bf5dbd79351907af956d83a5c04883919fadbb29074f4851b27e2fd3e53ee71c8f420479d6c2de46

Download Submit
C:\Users\Admin\AppData\Roaming\Hyuv\qoku.exe

Filesize
307KB

MD5
41d425068e4511ecde0cef7e3005f674

SHA1
adb68aee63fc1be597fef9bb01107bea6488170f

SHA256
66e76e1a10ea4cc2155f80b9699a38bd6d6843ffb15b97015e54ff60eb805935

SHA512
67320cf63fc258b2de3c8fe2003edb26986b71ba0883d730bf5dbd79351907af956d83a5c04883919fadbb29074f4851b27e2fd3e53ee71c8f420479d6c2de46

Download Submit
\Users\Admin\AppData\Roaming\Hyuv\qoku.exe

Filesize
307KB

MD5
41d425068e4511ecde0cef7e3005f674

SHA1
adb68aee63fc1be597fef9bb01107bea6488170f

SHA256
66e76e1a10ea4cc2155f80b9699a38bd6d6843ffb15b97015e54ff60eb805935

SHA512
67320cf63fc258b2de3c8fe2003edb26986b71ba0883d730bf5dbd79351907af956d83a5c04883919fadbb29074f4851b27e2fd3e53ee71c8f420479d6c2de46

Download Submit
\Users\Admin\AppData\Roaming\Hyuv\qoku.exe

Filesize
307KB

MD5
41d425068e4511ecde0cef7e3005f674

SHA1
adb68aee63fc1be597fef9bb01107bea6488170f

SHA256
66e76e1a10ea4cc2155f80b9699a38bd6d6843ffb15b97015e54ff60eb805935

SHA512
67320cf63fc258b2de3c8fe2003edb26986b71ba0883d730bf5dbd79351907af956d83a5c04883919fadbb29074f4851b27e2fd3e53ee71c8f420479d6c2de46

Download Submit
memory/1132-65-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-67-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-68-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-69-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1132-70-0x0000000001F00000-0x0000000001F49000-memory.dmp

Filesize
292KB

Download
memory/1188-73-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-74-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-75-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1188-76-0x0000000001DE0000-0x0000000001E29000-memory.dmp

Filesize
292KB

Download
memory/1220-81-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-82-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-80-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1220-79-0x0000000002AA0000-0x0000000002AE9000-memory.dmp

Filesize
292KB

Download
memory/1364-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1364-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-114-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1364-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-98-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1364-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1364-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1364-103-0x0000000000083B6A-mapping.dmp

Download
memory/1364-102-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1552-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-95-0x0000000000560000-0x00000000005AE000-memory.dmp

Filesize
312KB

Download
memory/1552-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-104-0x0000000000560000-0x00000000005A9000-memory.dmp

Filesize
292KB

Download
memory/1552-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1552-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1552-88-0x0000000000560000-0x00000000005A9000-memory.dmp

Filesize
292KB

Download
memory/1552-87-0x0000000000560000-0x00000000005A9000-memory.dmp

Filesize
292KB

Download
memory/1552-86-0x0000000000560000-0x00000000005A9000-memory.dmp

Filesize
292KB

Download
memory/1552-85-0x0000000000560000-0x00000000005A9000-memory.dmp

Filesize
292KB

Download
memory/1552-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1552-56-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download