Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 06:20
Static task
static1
Behavioral task
behavioral1
Sample
Qyyfrnva_Signed_.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Qyyfrnva_Signed_.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Qyyfrnva_Signed_.exe
-
Size
652KB
-
MD5
8f4286a5ec8f3abfb5d4c892f66c7cca
-
SHA1
3d83c34257b964adae2cba6029a7d4e5b6e2ceaf
-
SHA256
6f212246be3ab7db2cede2e87d8d465261ca8f44a86c7ca90cb8238bafed887f
-
SHA512
3df4484b9319aed2a9d936347d28495d37da42a7a105570aa0787ce86efdc0ea82310aa480fc2c4ce3373b8b88a008bd60d6f7ad40d90b4ca62f7e6654173bfd
Score
10/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Qyyfrnva_Signed_.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qyyfr = "C:\\Users\\Admin\\rfyyQ.url" Qyyfrnva_Signed_.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 3136 ieinstal.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Qyyfrnva_Signed_.exedescription pid process target process PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe PID 3928 wrote to memory of 3136 3928 Qyyfrnva_Signed_.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Qyyfrnva_Signed_.exe"C:\Users\Admin\AppData\Local\Temp\Qyyfrnva_Signed_.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3136-4-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/3136-5-0x0000000000000000-mapping.dmp
-
memory/3136-6-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/3136-8-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/3136-12-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/3136-14-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3928-2-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB