aabed1d94478998313a2febdd907b0e8db9b6b77a37756832c24a0bd3d2dfc0b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0c7324453038e6938111bec98ec3dc.exe
Size

237KB
MD5

0f0c7324453038e6938111bec98ec3dc
SHA1

859024670ac5a0ce2cdb0870c784f1dafb1f8ce3
SHA256

aabed1d94478998313a2febdd907b0e8db9b6b77a37756832c24a0bd3d2dfc0b
SHA512

9389bb41992b3c0f60c3aa606e507b99e75aec87114c07e7953ebc03837a40753ad24707ccabda8bc57870ffabe8acfe90f0caebfcbd9697835a56d50d783e42
SSDEEP

3072:4gT4yixFw1ZzaQtXfecw3OX8TOto3JeNNpMWh7enP+taqy3UV9TC3dpDftXZ0C:qKPzaQt2TRBZeNMe7enGzy3Vfbh5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
116	phqghum.exe
2052	phqghum.exe
4356	phqghum.exe
4348	phqghum.exe
1228	phqghum.exe
2776	phqghum.exe
2944	phqghum.exe
4644	phqghum.exe
1708	phqghum.exe
4788	phqghum.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	0f0c7324453038e6938111bec98ec3dc.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File created	C:\Windows\SysWOW64\phqghum.exe	0f0c7324453038e6938111bec98ec3dc.exe
File created	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe
File opened for modification	C:\Windows\SysWOW64\phqghum.exe	phqghum.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 116	1756	0f0c7324453038e6938111bec98ec3dc.exe	92
PID 1756 wrote to memory of 116	1756	0f0c7324453038e6938111bec98ec3dc.exe	92
PID 1756 wrote to memory of 116	1756	0f0c7324453038e6938111bec98ec3dc.exe	92
PID 116 wrote to memory of 2052	116	phqghum.exe	101
PID 116 wrote to memory of 2052	116	phqghum.exe	101
PID 116 wrote to memory of 2052	116	phqghum.exe	101
PID 2052 wrote to memory of 4356	2052	phqghum.exe	103
PID 2052 wrote to memory of 4356	2052	phqghum.exe	103
PID 2052 wrote to memory of 4356	2052	phqghum.exe	103
PID 4356 wrote to memory of 4348	4356	phqghum.exe	105
PID 4356 wrote to memory of 4348	4356	phqghum.exe	105
PID 4356 wrote to memory of 4348	4356	phqghum.exe	105
PID 4348 wrote to memory of 1228	4348	phqghum.exe	107
PID 4348 wrote to memory of 1228	4348	phqghum.exe	107
PID 4348 wrote to memory of 1228	4348	phqghum.exe	107
PID 1228 wrote to memory of 2776	1228	phqghum.exe	109
PID 1228 wrote to memory of 2776	1228	phqghum.exe	109
PID 1228 wrote to memory of 2776	1228	phqghum.exe	109
PID 2776 wrote to memory of 2944	2776	phqghum.exe	110
PID 2776 wrote to memory of 2944	2776	phqghum.exe	110
PID 2776 wrote to memory of 2944	2776	phqghum.exe	110
PID 2944 wrote to memory of 4644	2944	phqghum.exe	113
PID 2944 wrote to memory of 4644	2944	phqghum.exe	113
PID 2944 wrote to memory of 4644	2944	phqghum.exe	113
PID 4644 wrote to memory of 1708	4644	phqghum.exe	116
PID 4644 wrote to memory of 1708	4644	phqghum.exe	116
PID 4644 wrote to memory of 1708	4644	phqghum.exe	116
PID 1708 wrote to memory of 4788	1708	phqghum.exe	117
PID 1708 wrote to memory of 4788	1708	phqghum.exe	117
PID 1708 wrote to memory of 4788	1708	phqghum.exe	117

C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe
"C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\phqghum.exe
  C:\Windows\system32\phqghum.exe 1220 "C:\Users\Admin\AppData\Local\Temp\0f0c7324453038e6938111bec98ec3dc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\phqghum.exe
    C:\Windows\system32\phqghum.exe 1160 "C:\Windows\SysWOW64\phqghum.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\phqghum.exe
      C:\Windows\system32\phqghum.exe 1136 "C:\Windows\SysWOW64\phqghum.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1144 "C:\Windows\SysWOW64\phqghum.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1140 "C:\Windows\SysWOW64\phqghum.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1132 "C:\Windows\SysWOW64\phqghum.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1152 "C:\Windows\SysWOW64\phqghum.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1156 "C:\Windows\SysWOW64\phqghum.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1164 "C:\Windows\SysWOW64\phqghum.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\phqghum.exe
        
        C:\Windows\system32\phqghum.exe 1148 "C:\Windows\SysWOW64\phqghum.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\phqghum.exe

Filesize
190KB

MD5
cb7d7c9c566b6e7fef9042e5fa9591ee

SHA1
9e8517f787447be6d88569bed93701a4c2ec26ac

SHA256
20adaa10aba8579df2014fd044f1ad60a7a59b9d2cc7c16b9760db2f64a80d52

SHA512
c2986bb370825dd0768d603d2c25477d5a8c235f91a9f155657ceae8189e77bd14699b4e7d62a014c7b6d611fb03d566d668600d5f174ffed099ea7c54f4e413

Download Submit
memory/1756-8-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-12-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-3-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-4-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-5-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-6-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-1-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-9-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-7-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-10-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1756-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1756-11-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-21-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1756-19-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download
memory/1756-2-0x000000007FDF0000-0x000000007FE4C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads