9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0

General

Target

9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
Size

3.6MB
MD5

1afe0d7e3bff80348c32e8e83b71a610
SHA1

3440a16a25f83a1a7e155acde5a68312bb75c189
SHA256

9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0
SHA512

f6428bb9b5232013304c2391d3213f3348120070e8be58f33519336545e8702e0a9f790c7e86dc0c0a552ff5e7a6856f15b6b042d4d7345ecfba4abd9f1b0389
SSDEEP

98304:KHdfYHcREzq6mPQEqp77qRsCqmlh08SbNnR2zhAmoSSH:QMzFmoE/Rbqa092zNNS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1420	temp.exe
1480	Quick login.exe
4584	Quinck login.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Quick login = "C:\\Program Files (x86)\\Quick login.exe dk=40"	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Quick login.exe	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
File opened for modification	C:\Program Files (x86)\Quick login.exe	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
File created	C:\Program Files (x86)\Quinck login.exe	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
File opened for modification	C:\Program Files (x86)\Quinck login.exe	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
1420	temp.exe
1420	temp.exe
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
1420	temp.exe
1420	temp.exe
1480	Quick login.exe
1480	Quick login.exe
4584	Quinck login.exe
4584	Quinck login.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1420	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	85
PID 4764 wrote to memory of 1420	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	85
PID 4764 wrote to memory of 1420	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	85
PID 4764 wrote to memory of 1480	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	87
PID 4764 wrote to memory of 1480	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	87
PID 4764 wrote to memory of 1480	4764	9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe	87

C:\Users\Admin\AppData\Local\Temp\9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe
"C:\Users\Admin\AppData\Local\Temp\9d55401791b27f489aa2d2eaa56f47ad181f787d8621008d91f609a18e4127d0.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  C:\Users\Admin\AppData\Local\Temp\temp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1420
- C:\Program Files (x86)\Quick login.exe
  "C:\Program Files (x86)\Quick login.exe" dk=40
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1480

C:\Program Files (x86)\Quinck login.exe
"C:\Program Files (x86)\Quinck login.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Quick login.exe

Filesize
1.0MB

MD5
2a96153f07f83069db283a968c80bfaf

SHA1
ced4ae04b6d778d13acf20c76543b2b11c0e41a9

SHA256
629850cd18aacd154937b4830fac6545014282bccb1cb2d448a0c7cf6a0f11e4

SHA512
61045709145add2b5fa50da7686a0f137807b4be177db807a7a6df2128069a5dea6acbe95be8a695e927693420486c80870c12cab31f95b137909d95141ed31c

Download Submit
C:\Program Files (x86)\Quick login.exe

Filesize
1.0MB

MD5
2a96153f07f83069db283a968c80bfaf

SHA1
ced4ae04b6d778d13acf20c76543b2b11c0e41a9

SHA256
629850cd18aacd154937b4830fac6545014282bccb1cb2d448a0c7cf6a0f11e4

SHA512
61045709145add2b5fa50da7686a0f137807b4be177db807a7a6df2128069a5dea6acbe95be8a695e927693420486c80870c12cab31f95b137909d95141ed31c

Download Submit
C:\Program Files (x86)\Quinck login.exe

Filesize
1.8MB

MD5
03dd252ad695e03b1c8c98bc1ea3589f

SHA1
13980a804100360d44ec2bd012e93dddffe990ac

SHA256
1c0608b8c2463f0c859861bf31a2ac0359c6b6f5d143d6a27006ca8f74d74e39

SHA512
50ed424751b00d9139630d49a858c849ad916bc802bf5ec560fc100730e1874c2ba18dc5a11790904aa2b2017d3aae5cf475617876a2ee4388778ce0f8caa58c

Download Submit
C:\Program Files (x86)\Quinck login.exe

Filesize
1.8MB

MD5
03dd252ad695e03b1c8c98bc1ea3589f

SHA1
13980a804100360d44ec2bd012e93dddffe990ac

SHA256
1c0608b8c2463f0c859861bf31a2ac0359c6b6f5d143d6a27006ca8f74d74e39

SHA512
50ed424751b00d9139630d49a858c849ad916bc802bf5ec560fc100730e1874c2ba18dc5a11790904aa2b2017d3aae5cf475617876a2ee4388778ce0f8caa58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
1.4MB

MD5
e009e8280f44aa1f2df093c8c971c7c0

SHA1
48fbc70f1c9746c6216b0f4d5dc6d009dde87fcb

SHA256
cdab2f7f4d58f0fe718b8d1c83c904839c583a15e1ceff69b86c242166b6d2aa

SHA512
3dc8925e5b03a75dc7f2e433770e04371e2ab6232ced534b71210a2c762548c269d2f3c63226cddfa2af4a2ed694d64da4e5577812847380d13eb17a5bf06258

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
1.4MB

MD5
e009e8280f44aa1f2df093c8c971c7c0

SHA1
48fbc70f1c9746c6216b0f4d5dc6d009dde87fcb

SHA256
cdab2f7f4d58f0fe718b8d1c83c904839c583a15e1ceff69b86c242166b6d2aa

SHA512
3dc8925e5b03a75dc7f2e433770e04371e2ab6232ced534b71210a2c762548c269d2f3c63226cddfa2af4a2ed694d64da4e5577812847380d13eb17a5bf06258

Download Submit
memory/1420-9-0x0000000002660000-0x000000000271B000-memory.dmp

Filesize
748KB

Download
memory/1420-10-0x0000000002660000-0x000000000271B000-memory.dmp

Filesize
748KB

Download
memory/1420-5-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1420-6-0x0000000000800000-0x0000000000803000-memory.dmp

Filesize
12KB

Download
memory/1420-18-0x0000000002660000-0x000000000271B000-memory.dmp

Filesize
748KB

Download
memory/1420-19-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1420-20-0x0000000002660000-0x000000000271B000-memory.dmp

Filesize
748KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads