aabed1d94478998313a2febdd907b0e8db9b6b77a37756832c24a0bd3d2dfc0b

Analysis

max time kernel
139s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0c7324453038e6938111bec98ec3dc.exe
Size

237KB
MD5

0f0c7324453038e6938111bec98ec3dc
SHA1

859024670ac5a0ce2cdb0870c784f1dafb1f8ce3
SHA256

aabed1d94478998313a2febdd907b0e8db9b6b77a37756832c24a0bd3d2dfc0b
SHA512

9389bb41992b3c0f60c3aa606e507b99e75aec87114c07e7953ebc03837a40753ad24707ccabda8bc57870ffabe8acfe90f0caebfcbd9697835a56d50d783e42
SSDEEP

3072:4gT4yixFw1ZzaQtXfecw3OX8TOto3JeNNpMWh7enP+taqy3UV9TC3dpDftXZ0C:qKPzaQt2TRBZeNMe7enGzy3Vfbh5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2844	phqghum.exe
2584	phqghum.exe
2148	phqghum.exe
1960	phqghum.exe
1872	phqghum.exe
1376	phqghum.exe
2096	phqghum.exe
2068	phqghum.exe
2400	phqghum.exe
868	phqghum.exe

Loads dropped DLL 20 IoCs

pid	Process
1984	0f0c7324453038e6938111bec98ec3dc.exe
1984	0f0c7324453038e6938111bec98ec3dc.exe
2844	phqghum.exe
2844	phqghum.exe
2584	phqghum.exe
2584	phqghum.exe
2148	phqghum.exe
2148	phqghum.exe
1960	phqghum.exe
1960	phqghum.exe
1872	phqghum.exe
1872	phqghum.exe
1376	phqghum.exe
1376	phqghum.exe
2096	phqghum.exe
2096	phqghum.exe
2068	phqghum.exe
2068	phqghum.exe
2400	phqghum.exe
2400	phqghum.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	0f0c7324453038e6938111bec98ec3dc.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	0f0c7324453038e6938111bec98ec3dc.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2844	1984	0f0c7324453038e6938111bec98ec3dc.exe	28
PID 1984 wrote to memory of 2844	1984	0f0c7324453038e6938111bec98ec3dc.exe	28
PID 1984 wrote to memory of 2844	1984	0f0c7324453038e6938111bec98ec3dc.exe	28
PID 1984 wrote to memory of 2844	1984	0f0c7324453038e6938111bec98ec3dc.exe	28
PID 2844 wrote to memory of 2584	2844	phqghum.exe	29
PID 2844 wrote to memory of 2584	2844	phqghum.exe	29
PID 2844 wrote to memory of 2584	2844	phqghum.exe	29
PID 2844 wrote to memory of 2584	2844	phqghum.exe	29
PID 2584 wrote to memory of 2148	2584	phqghum.exe	30
PID 2584 wrote to memory of 2148	2584	phqghum.exe	30
PID 2584 wrote to memory of 2148	2584	phqghum.exe	30
PID 2584 wrote to memory of 2148	2584	phqghum.exe	30
PID 2148 wrote to memory of 1960	2148	phqghum.exe	33
PID 2148 wrote to memory of 1960	2148	phqghum.exe	33
PID 2148 wrote to memory of 1960	2148	phqghum.exe	33
PID 2148 wrote to memory of 1960	2148	phqghum.exe	33
PID 1960 wrote to memory of 1872	1960	phqghum.exe	34
PID 1960 wrote to memory of 1872	1960	phqghum.exe	34
PID 1960 wrote to memory of 1872	1960	phqghum.exe	34
PID 1960 wrote to memory of 1872	1960	phqghum.exe	34
PID 1872 wrote to memory of 1376	1872	phqghum.exe	35
PID 1872 wrote to memory of 1376	1872	phqghum.exe	35
PID 1872 wrote to memory of 1376	1872	phqghum.exe	35
PID 1872 wrote to memory of 1376	1872	phqghum.exe	35
PID 1376 wrote to memory of 2096	1376	phqghum.exe	36
PID 1376 wrote to memory of 2096	1376	phqghum.exe	36
PID 1376 wrote to memory of 2096	1376	phqghum.exe	36
PID 1376 wrote to memory of 2096	1376	phqghum.exe	36
PID 2096 wrote to memory of 2068	2096	phqghum.exe	37
PID 2096 wrote to memory of 2068	2096	phqghum.exe	37
PID 2096 wrote to memory of 2068	2096	phqghum.exe	37
PID 2096 wrote to memory of 2068	2096	phqghum.exe	37
PID 2068 wrote to memory of 2400	2068	phqghum.exe	38
PID 2068 wrote to memory of 2400	2068	phqghum.exe	38
PID 2068 wrote to memory of 2400	2068	phqghum.exe	38
PID 2068 wrote to memory of 2400	2068	phqghum.exe	38
PID 2400 wrote to memory of 868	2400	phqghum.exe	39
PID 2400 wrote to memory of 868	2400	phqghum.exe	39
PID 2400 wrote to memory of 868	2400	phqghum.exe	39
PID 2400 wrote to memory of 868	2400	phqghum.exe	39

C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe
"C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\phqghum.exe
  C:\Windows\system32\phqghum.exe 584 "C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\phqghum.exe
    C:\Windows\system32\phqghum.exe 536 "C:\Windows\SysWOW64\phqghum.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\phqghum.exe
      C:\Windows\system32\phqghum.exe 524 "C:\Windows\SysWOW64\phqghum.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 528 "C:\Windows\SysWOW64\phqghum.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 540 "C:\Windows\SysWOW64\phqghum.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 544 "C:\Windows\SysWOW64\phqghum.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 560 "C:\Windows\SysWOW64\phqghum.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 548 "C:\Windows\SysWOW64\phqghum.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 564 "C:\Windows\SysWOW64\phqghum.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 568 "C:\Windows\SysWOW64\phqghum.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\phqghum.exe

Filesize
190KB

MD5
cb7d7c9c566b6e7fef9042e5fa9591ee

SHA1
9e8517f787447be6d88569bed93701a4c2ec26ac

SHA256
20adaa10aba8579df2014fd044f1ad60a7a59b9d2cc7c16b9760db2f64a80d52

SHA512
c2986bb370825dd0768d603d2c25477d5a8c235f91a9f155657ceae8189e77bd14699b4e7d62a014c7b6d611fb03d566d668600d5f174ffed099ea7c54f4e413

Download Submit
\Windows\SysWOW64\phqghum.exe

Filesize
12KB

MD5
013e61abc525bf15e138ae260c1fa330

SHA1
b6a73c882cc361ce756bbad58bef5cd278a1ecfd

SHA256
7bb96916140719eae0628368d27a73be456950346a17369d863b1b957da51af7

SHA512
54971499549011ac969c84a4603cd5154433ceab52c85f466e34945ac0d38d0798bdcc8fec6f3ca01e40afabd85985ed1b82b0fe9eaa68199b11c64deb6b179f

Download Submit
memory/1984-11-0x00000000764D0000-0x00000000765C0000-memory.dmp

Filesize
960KB

Download
memory/1984-37-0x00000000748E0000-0x00000000748E9000-memory.dmp

Filesize
36KB

Download
memory/1984-1-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-9-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-8-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-7-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-6-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-5-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-10-0x00000000764D0000-0x00000000765C0000-memory.dmp

Filesize
960KB

Download
memory/1984-12-0x0000000074650000-0x000000007469F000-memory.dmp

Filesize
316KB

Download
memory/1984-13-0x0000000074910000-0x000000007491C000-memory.dmp

Filesize
48KB

Download
memory/1984-15-0x00000000762B0000-0x00000000762B6000-memory.dmp

Filesize
24KB

Download
memory/1984-14-0x00000000746C0000-0x00000000746C7000-memory.dmp

Filesize
28KB

Download
memory/1984-3-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-2-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-36-0x00000000748A0000-0x00000000748A8000-memory.dmp

Filesize
32KB

Download
memory/1984-38-0x00000000764D0000-0x00000000765C0000-memory.dmp

Filesize
960KB

Download
memory/1984-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1984-41-0x00000000762B0000-0x00000000762B6000-memory.dmp

Filesize
24KB

Download
memory/1984-40-0x00000000746C0000-0x00000000746C7000-memory.dmp

Filesize
28KB

Download
memory/1984-39-0x0000000074650000-0x000000007469F000-memory.dmp

Filesize
316KB

Download
memory/1984-35-0x0000000074640000-0x0000000074649000-memory.dmp

Filesize
36KB

Download
memory/1984-34-0x0000000074620000-0x0000000074639000-memory.dmp

Filesize
100KB

Download
memory/1984-33-0x0000000074610000-0x000000007461F000-memory.dmp

Filesize
60KB

Download
memory/1984-32-0x00000000746A0000-0x00000000746B1000-memory.dmp

Filesize
68KB

Download
memory/1984-31-0x0000000074430000-0x0000000074442000-memory.dmp

Filesize
72KB

Download
memory/1984-30-0x00000000742D0000-0x00000000742F1000-memory.dmp

Filesize
132KB

Download
memory/1984-29-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download
memory/1984-28-0x0000000074340000-0x0000000074353000-memory.dmp

Filesize
76KB

Download
memory/1984-4-0x000000007EF50000-0x000000007EFAC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads