Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7 -
submitted
07-08-2020 18:38
Static task
static1
Behavioral task
behavioral1
Sample
[Dev] ¿áQ Air [Õýʽ°æ]/¿áQ Air/CQA.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
[Dev] ¿áQ Air [Õýʽ°æ]/¿áQ Air/CQA.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
[Dev] ¿áQ Air [Õýʽ°æ]/¿áQ Air/CQA.exe
-
Size
5.6MB
-
MD5
6aa36f386a3e645f67cd6945374b8ea8
-
SHA1
17f6d3dedfd6afe56135d3a2e7ae3a7d120151ca
-
SHA256
39599008089755aa7cccb534b2c94ccb537f266018bb67ae3ed4b9f51c0a40b9
-
SHA512
87f59bb1a8d6887fa967d811e2db70c2bfb9bf9673347c6bada2d03f1e3371fbe05e7853a063a90df71627f9ea803d83c71c89b88859199f5a28e2c05e38d706
Score
8/10
Malware Config
Signatures
-
Drops desktop.ini file(s) 1 IoCs
Processes:
CQA.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini CQA.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
CQA.exeitunes.exepid process 1668 CQA.exe 1668 CQA.exe 1780 itunes.exe 1780 itunes.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CQA.exeitunes.exedescription pid process Token: SeDebugPrivilege 1668 CQA.exe Token: SeDebugPrivilege 1668 CQA.exe Token: SeDebugPrivilege 1780 itunes.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CQA.exedescription pid process target process PID 1668 wrote to memory of 1780 1668 CQA.exe itunes.exe PID 1668 wrote to memory of 1780 1668 CQA.exe itunes.exe PID 1668 wrote to memory of 1780 1668 CQA.exe itunes.exe PID 1668 wrote to memory of 1780 1668 CQA.exe itunes.exe -
Executes dropped EXE 1 IoCs
Processes:
itunes.exepid process 1780 itunes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CQA.exeitunes.exepid process 1668 CQA.exe 1780 itunes.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CQA.exeitunes.exepid process 1668 CQA.exe 1780 itunes.exe -
Loads dropped DLL 2 IoCs
Processes:
CQA.exepid process 1668 CQA.exe 1668 CQA.exe -
Enumerates connected drives 3 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [Õýʽ°æ]\¿áQ Air\CQA.exe"C:\Users\Admin\AppData\Local\Temp\[Dev] ¿áQ Air [Õýʽ°æ]\¿áQ Air\CQA.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\Documents\itunes.exe"C:\Users\Admin\Documents\itunes.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses