Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:03
Static task
static1
Behavioral task
behavioral1
Sample
5f94b6301d49cbae4a3903baa511586a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5f94b6301d49cbae4a3903baa511586a.exe
Resource
win10v20201028
General
-
Target
5f94b6301d49cbae4a3903baa511586a.exe
-
Size
92KB
-
MD5
5f94b6301d49cbae4a3903baa511586a
-
SHA1
58e9c38396b81303c0ad5e5ddf7815c5f2387345
-
SHA256
9ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
-
SHA512
6d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
hardrecl.exepid process 4040 hardrecl.exe -
Checks QEMU agent state file 2 TTPs 4 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
hardrecl.exehardrecl.exe5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state hardrecl.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state hardrecl.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5f94b6301d49cbae4a3903baa511586a.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state 5f94b6301d49cbae4a3903baa511586a.exe -
Loads dropped DLL 1 IoCs
Processes:
hardrecl.exepid process 696 hardrecl.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 5f94b6301d49cbae4a3903baa511586a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Unaspir7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Inddr\\hardrecl.vbs" 5f94b6301d49cbae4a3903baa511586a.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce hardrecl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Unaspir7 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Inddr\\hardrecl.vbs" hardrecl.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exehardrecl.exehardrecl.exepid process 3980 5f94b6301d49cbae4a3903baa511586a.exe 2736 5f94b6301d49cbae4a3903baa511586a.exe 4040 hardrecl.exe 696 hardrecl.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription pid process target process PID 3980 set thread context of 2736 3980 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 4040 set thread context of 696 4040 hardrecl.exe hardrecl.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exepid process 3980 5f94b6301d49cbae4a3903baa511586a.exe 4040 hardrecl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exehardrecl.exepid process 3980 5f94b6301d49cbae4a3903baa511586a.exe 4040 hardrecl.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5f94b6301d49cbae4a3903baa511586a.exe5f94b6301d49cbae4a3903baa511586a.exehardrecl.exedescription pid process target process PID 3980 wrote to memory of 2736 3980 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 3980 wrote to memory of 2736 3980 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 3980 wrote to memory of 2736 3980 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 3980 wrote to memory of 2736 3980 5f94b6301d49cbae4a3903baa511586a.exe 5f94b6301d49cbae4a3903baa511586a.exe PID 2736 wrote to memory of 4040 2736 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 2736 wrote to memory of 4040 2736 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 2736 wrote to memory of 4040 2736 5f94b6301d49cbae4a3903baa511586a.exe hardrecl.exe PID 4040 wrote to memory of 696 4040 hardrecl.exe hardrecl.exe PID 4040 wrote to memory of 696 4040 hardrecl.exe hardrecl.exe PID 4040 wrote to memory of 696 4040 hardrecl.exe hardrecl.exe PID 4040 wrote to memory of 696 4040 hardrecl.exe hardrecl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"1⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"C:\Users\Admin\AppData\Local\Temp\5f94b6301d49cbae4a3903baa511586a.exe"2⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"3⤵
- Executes dropped EXE
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exe"4⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
C:\Users\Admin\AppData\Local\Temp\Inddr\hardrecl.exeMD5
5f94b6301d49cbae4a3903baa511586a
SHA158e9c38396b81303c0ad5e5ddf7815c5f2387345
SHA2569ce39afed2b1b439d074bcda9791a603e32054133fb4928c58f4504af4cda576
SHA5126d92fad5bec13a758416fe5bfa30352245ab407ae20602b5b39c0d34c31a7c086a0ee6cca56852d86c1ac0c02b537d09387768931c864cd3f23ac71f9a35e264
-
memory/696-8-0x000000000040148C-mapping.dmp
-
memory/2736-2-0x000000000040148C-mapping.dmp
-
memory/4040-3-0x0000000000000000-mapping.dmp