2da066c7abd34e9a509c2112c2321a7c5f2047117472f2114cf157db038797eb

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

096442e4444682d673cb392c62586013.exe
Size

160KB
MD5

096442e4444682d673cb392c62586013
SHA1

ddbd9a65ee61412a0e8acdda4f12655688f52ab5
SHA256

2da066c7abd34e9a509c2112c2321a7c5f2047117472f2114cf157db038797eb
SHA512

75e2df09b59b95c81bd09635cc459431c7a74d15cd1146e61cb4988a2c3af4606789938b40c8f788ca87656dda477a975ae76c31937a08106f54ce1ba48e7c36
SSDEEP

768:85XL+uSmPVfY68eIRFhoJ0h4h2hQJVNjDkp57xXp5Rmg5Fh4hqhxOhDhzhnhvhzN:8tq968nnJh4h2hON6x5puwVT0B

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	xhqour.exe

Loads dropped DLL 2 IoCs

pid	Process
2512	096442e4444682d673cb392c62586013.exe
2512	096442e4444682d673cb392c62586013.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /d"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /N"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /v"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /R"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /h"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /u"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /O"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /x"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /J"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /k"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /a"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /D"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /i"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /q"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /p"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /T"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /y"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /K"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /Z"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /Y"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /m"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /c"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /F"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /M"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /n"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /A"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /I"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /H"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /t"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /G"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /V"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /e"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /P"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /b"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /B"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /f"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /l"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /o"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /C"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /U"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /L"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /W"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /s"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /g"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /Q"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /X"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /j"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /w"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /E"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /z"	xhqour.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\xhqour = "C:\\Users\\Admin\\xhqour.exe /S"	xhqour.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe
2924	xhqour.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2512	096442e4444682d673cb392c62586013.exe
2924	xhqour.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2924	2512	096442e4444682d673cb392c62586013.exe	28
PID 2512 wrote to memory of 2924	2512	096442e4444682d673cb392c62586013.exe	28
PID 2512 wrote to memory of 2924	2512	096442e4444682d673cb392c62586013.exe	28
PID 2512 wrote to memory of 2924	2512	096442e4444682d673cb392c62586013.exe	28
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27
PID 2924 wrote to memory of 2512	2924	xhqour.exe	27

C:\Users\Admin\AppData\Local\Temp\096442e4444682d673cb392c62586013.exe
"C:\Users\Admin\AppData\Local\Temp\096442e4444682d673cb392c62586013.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\xhqour.exe
  "C:\Users\Admin\xhqour.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\xhqour.exe

Filesize
160KB

MD5
2b01ada32517b9be0ac3b43c8a672364

SHA1
01eedba31803d0d1bb020a8efddc8830899b0deb

SHA256
4fc029d87efceab3bab4a2e3c59370de795592bf1fb8c39a78e0184e59a371cd

SHA512
ef40170371247011310b3dc4bb8429c3abf5a5739a01e3c34ada2b970229bcb647ef0670400615c5a276ee592260dff9d1377d690e185a8adf14b956f406f609

Download Submit