331a562953f7da86fb6fc344a1c27c49051105177f8ff8661058d801d8f12802

Analysis

max time kernel
138s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

988.exe
Size

2.1MB
MD5

8eadcc4d69631ce1252201d164bff08c
SHA1

364278c807838bf3d75001c72bffa9b00bb42dd6
SHA256

54334afc530f334754ec13761319c8ef536fc644fcd33e5c405ba4aedb8fd90b
SHA512

97fa9dfd9444f711a31c6d017d00151664c8e1e7bc6cc157d55bb59ae13e0d453d1475b82ce6b577b7b3ad448df989550f7594283f016877cda0c8324fd84b6a
SSDEEP

49152:TF4qX74X0XrtpUePzKtA+F3l7BPAeYKHdj/PAHD1QCizINk/Sap19W:a874X0JpUePzV+xl79AeYKHdj/PGDAIC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2056	Kuiqyse.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Kuiqyse.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kuiqyse.exe	988.exe
File opened for modification	C:\Program Files (x86)\Kuiqyse.exe	988.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Kuiqyse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Kuiqyse.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionTime = c030e75496bfda01	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\8a-b4-51-e9-59-b0	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Kuiqyse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Kuiqyse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecisionReason = "1"	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecision = "0"	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Kuiqyse.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kuiqyse.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0139000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecisionReason = "1"	Kuiqyse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadDecision = "0"	Kuiqyse.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-b4-51-e9-59-b0\WpadDecisionTime = c030e75496bfda01	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Kuiqyse.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Kuiqyse.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}	Kuiqyse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CB0183C-95C5-4820-ACBB-59B75CBBC8BC}\WpadNetworkName = "Network 3"	Kuiqyse.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2872	988.exe
2056	Kuiqyse.exe

C:\Users\Admin\AppData\Local\Temp\988.exe
"C:\Users\Admin\AppData\Local\Temp\988.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files (x86)\Kuiqyse.exe
"C:\Program Files (x86)\Kuiqyse.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Kuiqyse.exe

Filesize
2.1MB

MD5
8eadcc4d69631ce1252201d164bff08c

SHA1
364278c807838bf3d75001c72bffa9b00bb42dd6

SHA256
54334afc530f334754ec13761319c8ef536fc644fcd33e5c405ba4aedb8fd90b

SHA512
97fa9dfd9444f711a31c6d017d00151664c8e1e7bc6cc157d55bb59ae13e0d453d1475b82ce6b577b7b3ad448df989550f7594283f016877cda0c8324fd84b6a

Download Submit
C:\Users\Public\Documents\pass.txt

Filesize
8B

MD5
71d864b6b132a9235400af39917131b3

SHA1
b79d02acde8be0d57bedef9bd3edeab0a5a066f3

SHA256
f4392ea35b8bafc5813b48055be473c4eceb72f11936a67a92cd9086efc2492e

SHA512
f331a1c933e016667682d3339784e57f4518305954a7e02643b4deab5ff8ded663232f38190d535457f4351d506f642cea961ea09dc3182c7917f8e483dbd0d3

Download Submit
memory/2872-2-0x0000000010000000-0x0000000010024000-memory.dmp

Filesize
144KB

Download