563221da661e5ee5abc6ed955efb72e21b7c3563a14ece313ee4ff546c92eb3e

General

Target

858455321bd8c12c19b69f6835ed69f0.exe
Size

209KB
MD5

858455321bd8c12c19b69f6835ed69f0
SHA1

b0fc0075745d9f03e79b6e8fb7b7b4401b927d78
SHA256

563221da661e5ee5abc6ed955efb72e21b7c3563a14ece313ee4ff546c92eb3e
SHA512

02cc26669af34b636696b6e9fa4de97579f581e43a1b458ae3cb8754d6de260c311190b71aa390888658f12ca8974175e5f5e4e8f4bd56c35fe198677bee6193
SSDEEP

3072:PABKe7+p5XBAbF8ZQ/QEnRu5k4m5VZobn8PC4999PAD5LcAFpNnxdMQxgS+gTre5:uVTfo7g9jP6pOQxgSKVq+rL

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2684 netsh.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2576 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

oqudere.exeoqudere.exe

pid process

2716 oqudere.exe
2668 oqudere.exe
Loads dropped DLL 3 IoCs

Processes:

858455321bd8c12c19b69f6835ed69f0.exeoqudere.exe

pid process

2824 858455321bd8c12c19b69f6835ed69f0.exe
2824 858455321bd8c12c19b69f6835ed69f0.exe
2716 oqudere.exe

pid	process
2684	netsh.exe

pid	process
2576	cmd.exe

pid	process
2716	oqudere.exe
2668	oqudere.exe

pid	process
2824	858455321bd8c12c19b69f6835ed69f0.exe
2824	858455321bd8c12c19b69f6835ed69f0.exe
2716	oqudere.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

858455321bd8c12c19b69f6835ed69f0.exeoqudere.exe

description	pid	process	target process
PID 2508 set thread context of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2716 set thread context of 2668	2716	oqudere.exe	oqudere.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

858455321bd8c12c19b69f6835ed69f0.exe

description pid process

Token: SeSecurityPrivilege 2824 858455321bd8c12c19b69f6835ed69f0.exe

description	pid	process
Token: SeSecurityPrivilege	2824	858455321bd8c12c19b69f6835ed69f0.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

858455321bd8c12c19b69f6835ed69f0.exe858455321bd8c12c19b69f6835ed69f0.execmd.exeoqudere.exe

description	pid	process	target process
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2508 wrote to memory of 2824	2508	858455321bd8c12c19b69f6835ed69f0.exe	858455321bd8c12c19b69f6835ed69f0.exe
PID 2824 wrote to memory of 2816	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2816	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2816	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2816	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2716	2824	858455321bd8c12c19b69f6835ed69f0.exe	oqudere.exe
PID 2824 wrote to memory of 2716	2824	858455321bd8c12c19b69f6835ed69f0.exe	oqudere.exe
PID 2824 wrote to memory of 2716	2824	858455321bd8c12c19b69f6835ed69f0.exe	oqudere.exe
PID 2824 wrote to memory of 2716	2824	858455321bd8c12c19b69f6835ed69f0.exe	oqudere.exe
PID 2816 wrote to memory of 2684	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 2684	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 2684	2816	cmd.exe	netsh.exe
PID 2816 wrote to memory of 2684	2816	cmd.exe	netsh.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2716 wrote to memory of 2668	2716	oqudere.exe	oqudere.exe
PID 2824 wrote to memory of 2576	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2576	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2576	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe
PID 2824 wrote to memory of 2576	2824	858455321bd8c12c19b69f6835ed69f0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\858455321bd8c12c19b69f6835ed69f0.exe
"C:\Users\Admin\AppData\Local\Temp\858455321bd8c12c19b69f6835ed69f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\858455321bd8c12c19b69f6835ed69f0.exe
"C:\Users\Admin\AppData\Local\Temp\858455321bd8c12c19b69f6835ed69f0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp285b5b67.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe"
4⤵
- Modifies Windows Firewall
PID:2684

C:\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe
"C:\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe
"C:\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe"
4⤵
- Executes dropped EXE
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpa5042027.bat"
3⤵
- Deletes itself
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp285b5b67.bat
Filesize
204B

MD5
101081765e31ef3eaf3eb0b968868834

SHA1
20d14211b7151e1bdf2f045fca5b1a4df5facbeb

SHA256
228abfa4eea13d4275119438236d045851d0822411cf7bb71cea947aff2b9214

SHA512
95bb0158a6580d3862d2dd499b3903013ab4a785540a4bccee26e7c6f52ae34c368aba4269561618596f29cd57c0c0d748657e8b64acbba5581e49063bde555a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpa5042027.bat
Filesize
243B

MD5
4303cd3c81a0d2ee78d99af5dc7dc366

SHA1
b636348972e36ed23c8c37c8ceb78589e05e5216

SHA256
2eb8e5a0371e7553f354331a2f6a12783b67dbbfe840b15b83b16d4c9f66a1af

SHA512
81cf89b1019d6fcce554f48070d0dc9baef3280f29e7c51347e6157541cab45e813bcd3b0d7e1eed3849c513c18fb1569471f152ff180823351c84d473c0f2cc

Download Submit
\Users\Admin\AppData\Roaming\Kaemfie\oqudere.exe
Filesize
209KB

MD5
8d879585321ef92cf4b7cbb076538e18

SHA1
216ff4baee71dea5565c6c6f841b327a87b2b842

SHA256
e21ae47999a870c90285e1609e0479527fe4f991047a6c96ca5869a31df2768e

SHA512
33923a60f543b2f3e6bc9227894d41beb702a015ff14cbe314d05bd7d6c8ad04e557f1587532e7a83730a21eb22818aaa5b93f00f270fb1de912e2cd6baf0769

Download Submit
memory/2508-1-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2508-0-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/2716-32-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2716-31-0x0000000000220000-0x0000000000228000-memory.dmp

Filesize
32KB

Download
memory/2824-6-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-14-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-15-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-17-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-18-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2824-8-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-4-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-46-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2824-2-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing