a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de

Analysis

max time kernel
166s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
Size

188KB
MD5

12b53492b77d464758c1a43716f4afec
SHA1

c1ab7517da54b1cfccbe1f046aae26bd2b48ae3f
SHA256

a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de
SHA512

09d36804362f8b4e79bc7ed0fba8775e599c10119e76bd9fdc5b0519dd8ab414f0002ac36e73de02c0449259a49dc825d6c7184eb56d242f712593efc26e3528
SSDEEP

3072:Qv/bAZgD6dxWH6SFVQCNzE4CfEgl1D7tV8hzBPMCeLPPmPAfONl:yTkge2DQSE7MONShzBPMC/A8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1752	maomao.exe
1332	qiuqiu.exe

Deletes itself 1 IoCs

pid	Process
804	cmd.exe

Loads dropped DLL 9 IoCs

pid	Process
1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
1752	maomao.exe
1752	maomao.exe
1752	maomao.exe
1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
1332	qiuqiu.exe
1332	qiuqiu.exe
1332	qiuqiu.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\qiuqi1.bat	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
File created	C:\Program Files\Common Files\maomao.exe	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
File created	C:\Program Files\Common Files\qiuqi1.dll	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}	qiuqiu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32\ = "C:\\Program Files\\Common Files\\qiuqi1.dll"	qiuqiu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32	qiuqiu.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1752	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	28
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1188 wrote to memory of 1332	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	29
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1332 wrote to memory of 1964	1332	qiuqiu.exe	30
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32
PID 1188 wrote to memory of 804	1188	a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe	32

C:\Users\Admin\AppData\Local\Temp\a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe
"C:\Users\Admin\AppData\Local\Temp\a5f1956df89154c0427a72e8472dabe2ef425890fb0f18165a106b7239fd61de.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Program Files\Common Files\maomao.exe
  "C:\Program Files\Common Files\maomao.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1752
- C:\Documents and Settings\qiuqiu.exe
  "C:\Documents and Settings\qiuqiu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del C:\DOCUME~1\qiuqiu.exe
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del C:\Users\Admin\AppData\Local\Temp\A5F195~1.EXE
  2⤵
  - Deletes itself
  PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
C:\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
C:\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
C:\Users\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
\Program Files\Common Files\maomao.exe

Filesize
24.0MB

MD5
9dbef8bd2c658c86664ff00f1b763c6e

SHA1
74fcd3436768f2dcd0abdb148695c6c3a88c015d

SHA256
d8617a571bae89c48cf8c4e8804894446b99b484c55865ddf6e44ccc379839f0

SHA512
3100c9de36424a26c17b0887ad65f65bf9eadd4492d3f8779fa0e878d04b87e30c97ab8ef324b7b147556b1bb05507c73a74074da99a34738ab162b067803c05

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
\Users\qiuqiu.exe

Filesize
24.0MB

MD5
75a7353d599309d04fff8fb3be583d17

SHA1
12ff91ee05763672f16873170df40330c062576a

SHA256
5f38c20e7c3658a4df0439bfeb08d84c09d8b755a0cac1e887e703d42779ab9d

SHA512
f41fa00ce8d3e8e7f59b63787c40e2b2c24f80d2d715027ce87519a5b04543e6c94ef371414c8629cf9e4a4de0d338a20bdd5602117e9228d5fcba06a761b3f8

Download Submit
memory/1188-79-0x00000000002A0000-0x00000000002A6000-memory.dmp

Filesize
24KB

Download
memory/1188-85-0x0000000000330000-0x000000000036F000-memory.dmp

Filesize
252KB

Download
memory/1188-67-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/1188-69-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/1188-57-0x0000000000330000-0x0000000000379000-memory.dmp

Filesize
292KB

Download
memory/1188-56-0x0000000000330000-0x0000000000379000-memory.dmp

Filesize
292KB

Download
memory/1188-55-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1188-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1188-84-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1332-81-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1332-82-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1332-80-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1752-68-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download