15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
Size

3.7MB
MD5

7095a724461739b15822fd0dd49b327f
SHA1

3d98b504b552c0b86912aaaec3cb9658f8b9260e
SHA256

15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd
SHA512

1753efee3a36f8aeb6fec810433e7f07feef30774b9ba65d6c3487862f88f64fc006e12a166a306f1be1974fb1e50129587897d63b919e700c9dbf8abd1a2272

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1812	QMDesktopAnimation.exe
1808	lsass.exe
2036	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
1812	QMDesktopAnimation.exe
1812	QMDesktopAnimation.exe
1812	QMDesktopAnimation.exe
1812	QMDesktopAnimation.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360°²È«·þÎñ = "C:\\Users\\QMDesktopAnimation.exe"	QMDesktopAnimation.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
1812	QMDesktopAnimation.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1812	1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	27
PID 1672 wrote to memory of 1812	1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	27
PID 1672 wrote to memory of 1812	1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	27
PID 1672 wrote to memory of 1812	1672	15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe	27
PID 1812 wrote to memory of 1808	1812	QMDesktopAnimation.exe	28
PID 1812 wrote to memory of 1808	1812	QMDesktopAnimation.exe	28
PID 1812 wrote to memory of 1808	1812	QMDesktopAnimation.exe	28
PID 1812 wrote to memory of 1808	1812	QMDesktopAnimation.exe	28
PID 1812 wrote to memory of 2036	1812	QMDesktopAnimation.exe	29
PID 1812 wrote to memory of 2036	1812	QMDesktopAnimation.exe	29
PID 1812 wrote to memory of 2036	1812	QMDesktopAnimation.exe	29
PID 1812 wrote to memory of 2036	1812	QMDesktopAnimation.exe	29

C:\Users\Admin\AppData\Local\Temp\15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe
"C:\Users\Admin\AppData\Local\Temp\15b59ff79bbe290dc9da9c695017740a697f5b2f58c3aa78c04af1485a7b75dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\QMDesktopAnimation.exe
  C:\Users\QMDesktopAnimation.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\ExceptCatch.dll

Filesize
2.2MB

MD5
be31e9cbf3aaa02fec9a6dc2fe49b8f1

SHA1
dd554ece008b8d5a9425fa7b5792033e42217484

SHA256
931bd3c45bca3a6766e67870457663ae386c04a4983b57cd10b83c1c5fddd19a

SHA512
9757bee88f27d9e5a860f3a69046e23bbfea39521c09bb59476fcf5e53eea530e04d717ebe1805a0af78c5d8e4cf0d988fe1e94c1e1c5543c89449debe070a0a

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
C:\Users\QMDesktopAnimation.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
\Users\ExceptCatch.dll

Filesize
2.2MB

MD5
be31e9cbf3aaa02fec9a6dc2fe49b8f1

SHA1
dd554ece008b8d5a9425fa7b5792033e42217484

SHA256
931bd3c45bca3a6766e67870457663ae386c04a4983b57cd10b83c1c5fddd19a

SHA512
9757bee88f27d9e5a860f3a69046e23bbfea39521c09bb59476fcf5e53eea530e04d717ebe1805a0af78c5d8e4cf0d988fe1e94c1e1c5543c89449debe070a0a

Download Submit
\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
\Users\Public\lsass.exe

Filesize
1.5MB

MD5
4d223a6a4e9402cca12dfb8ac4cb470e

SHA1
5e2a470561d4a788bc53e8ebbfc208eccc98f390

SHA256
bdc9e471d303f81dbf0a62a50d86e45647505786b3cdf7a0d14a4595a4ae68e1

SHA512
091a5e194d45d02f7f156bc611c4c35ed19ab8bf0b806dcbfd2fc63f72837000fcc52e981bb7c980302cecbbca29ae941f30b7136a97c90953b94383e384dd29

Download Submit
\Users\QMDesktopAnimation.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/1672-480-0x0000000000400000-0x0000000000834000-memory.dmp

Filesize
4.2MB

Download
memory/1808-512-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-506-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-475-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-474-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-482-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-534-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-533-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-532-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-531-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-530-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-529-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-528-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-527-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-526-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-525-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-524-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-523-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-522-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-521-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-520-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-519-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-518-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-517-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-516-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-515-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-514-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-513-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-478-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-511-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-510-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-509-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-508-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-507-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-476-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-505-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-504-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-503-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-502-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-501-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-500-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-499-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-498-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-497-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-496-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-495-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-494-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-493-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-492-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-491-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-490-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-489-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-488-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-487-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-486-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-485-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-484-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-483-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-477-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-479-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-481-0x00000000022F0000-0x0000000002401000-memory.dmp

Filesize
1.1MB

Download
memory/1808-67-0x0000000077010000-0x0000000077057000-memory.dmp

Filesize
284KB

Download
memory/1812-1134-0x0000000002020000-0x000000000219C000-memory.dmp

Filesize
1.5MB

Download