Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:03
Static task
static1
Behavioral task
behavioral1
Sample
5f94b6301d49cbae4a3903baa511586a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5f94b6301d49cbae4a3903baa511586a.exe
Resource
win10v20201028
General
-
Target
5f94b6301d49cbae4a3903baa511586a.exe
-
Size
92KB
-
MD5
5f94b6301d49cbae4a3903baa511586a
-
SHA1
58e9c38396b81303c0ad5e5ddf7815c5f2387345
-
SHA256
9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
-
SHA512
6d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hardrecl.exepid process 1700 hardrecl.exe -
Checks QEMU agent state file 2 TTPs 4 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exehardrecl.exehardrecl.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5f94b6301d49cbae4a3903baa511586a.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5f94b6301d49cbae4a3903baa511586a.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state hardrecl.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state hardrecl.exe -
Loads dropped DLL 4 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exehardrecl.exepid process 908 5f94b6301d49cbae4a3903baa511586a.exe 908 5f94b6301d49cbae4a3903baa511586a.exe 1700 hardrecl.exe 1532 hardrecl.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 5f94b6301d49cbae4a3903baa511586a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Unaspir7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Inddr\\hardrecl.vbs" 5f94b6301d49cbae4a3903baa511586a.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce hardrecl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Unaspir7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Inddr\\hardrecl.vbs" hardrecl.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exehardrecl.exehardrecl.exepid process 536 5f94b6301d49cbae4a3903baa511586a.exe 908 5f94b6301d49cbae4a3903baa511586a.exe 1700 hardrecl.exe 1532 hardrecl.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription pid process target process PID 536 set thread context of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 1700 set thread context of 1532 1700 hardrecl.exe hardrecl.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exepid process 536 5f94b6301d49cbae4a3903baa511586a.exe 1700 hardrecl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exepid process 536 5f94b6301d49cbae4a3903baa511586a.exe 1700 hardrecl.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription pid process target process PID 536 wrote to memory of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 536 wrote to memory of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 536 wrote to memory of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 536 wrote to memory of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 536 wrote to memory of 908 536 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 908 wrote to memory of 1700 908 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 908 wrote to memory of 1700 908 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 908 wrote to memory of 1700 908 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 908 wrote to memory of 1700 908 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 1700 wrote to memory of 1532 1700 hardrecl.exe hardrecl.exe PID 1700 wrote to memory of 1532 1700 hardrecl.exe hardrecl.exe PID 1700 wrote to memory of 1532 1700 hardrecl.exe hardrecl.exe PID 1700 wrote to memory of 1532 1700 hardrecl.exe hardrecl.exe PID 1700 wrote to memory of 1532 1700 hardrecl.exe hardrecl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"1⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"2⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"3⤵
- Executes dropped EXE
- Checks QEMU agent state file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"4⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
memory/556-13-0x000007FEF72E0000-0x000007FEF755A000-memory.dmpFilesize
2.5MB
-
memory/908-2-0x000000000040148C-mapping.dmp
-
memory/1532-11-0x000000000040148C-mapping.dmp
-
memory/1700-5-0x0000000000000000-mapping.dmp