4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8

Analysis

max time kernel
153s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Size

88KB
MD5

7220d95dabe9e2b5af97c88ca90ee12f
SHA1

3ae0aef2725c5f870d555bd9c32ede89bfb8167c
SHA256

4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8
SHA512

709037713a200c62c831a686737d8d6a3c85d9412d4125849e1a01abbbe8aeb7d2e73f82894436c30d333912db12e8dcb7a8f07c46a9c7fc250c0c8e3984b4aa
SSDEEP

1536:t8TwkNvC5DBrlFEJ71b2gYmHVwrESp3GV4VE:6TjU5biJ71bBu3G

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qanof.exe

Executes dropped EXE 1 IoCs

pid	Process
272	qanof.exe

Loads dropped DLL 2 IoCs

pid	Process
1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /w"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /v"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /e"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /o"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /b"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /p"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /q"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /r"	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /w"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /n"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /h"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /i"	qanof.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /l"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /u"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /k"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /t"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /m"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /f"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /h"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /j"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /x"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /y"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /z"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /r"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /p"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /e"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /i"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /n"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /a"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /y"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /g"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /c"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /m"	qanof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /x"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /q"	qanof.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /s"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /t"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /c"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /f"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /s"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /z"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /u"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /k"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /d"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /l"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /j"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /r"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /b"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /g"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /o"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /n"	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /v"	qanof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /a"	qanof.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\qanof = "C:\\Users\\Admin\\qanof.exe /d"	qanof.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe
272	qanof.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
272	qanof.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
272	qanof.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 272	1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe	28
PID 1280 wrote to memory of 272	1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe	28
PID 1280 wrote to memory of 272	1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe	28
PID 1280 wrote to memory of 272	1280	4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe	28

C:\Users\Admin\AppData\Local\Temp\4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe
"C:\Users\Admin\AppData\Local\Temp\4c67f91419e0992e5cf87c611dc98b1c9ba10971fba21cc058cd1befa2dd81e8.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\qanof.exe
  "C:\Users\Admin\qanof.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qanof.exe

Filesize
88KB

MD5
b7692b1c4d1c781b0492647ba40900ae

SHA1
38ffe100a9c6ced7cbb00e6832b7bb5194347d6a

SHA256
1b30810714b62506f65e37eedca23839b6f2191f9800613cb8a0377eeadc062b

SHA512
d30f39212ca9211c638a4a0f88b64d8aedec80f9358139008e0c3a02f9f39ba38a32871bba4550a782bd0d6de9de8d247eea7e1a385473529b96c18069f985c9

Download Submit
C:\Users\Admin\qanof.exe

Filesize
88KB

MD5
b7692b1c4d1c781b0492647ba40900ae

SHA1
38ffe100a9c6ced7cbb00e6832b7bb5194347d6a

SHA256
1b30810714b62506f65e37eedca23839b6f2191f9800613cb8a0377eeadc062b

SHA512
d30f39212ca9211c638a4a0f88b64d8aedec80f9358139008e0c3a02f9f39ba38a32871bba4550a782bd0d6de9de8d247eea7e1a385473529b96c18069f985c9

Download Submit
\Users\Admin\qanof.exe

Filesize
88KB

MD5
b7692b1c4d1c781b0492647ba40900ae

SHA1
38ffe100a9c6ced7cbb00e6832b7bb5194347d6a

SHA256
1b30810714b62506f65e37eedca23839b6f2191f9800613cb8a0377eeadc062b

SHA512
d30f39212ca9211c638a4a0f88b64d8aedec80f9358139008e0c3a02f9f39ba38a32871bba4550a782bd0d6de9de8d247eea7e1a385473529b96c18069f985c9

Download Submit
\Users\Admin\qanof.exe

Filesize
88KB

MD5
b7692b1c4d1c781b0492647ba40900ae

SHA1
38ffe100a9c6ced7cbb00e6832b7bb5194347d6a

SHA256
1b30810714b62506f65e37eedca23839b6f2191f9800613cb8a0377eeadc062b

SHA512
d30f39212ca9211c638a4a0f88b64d8aedec80f9358139008e0c3a02f9f39ba38a32871bba4550a782bd0d6de9de8d247eea7e1a385473529b96c18069f985c9

Download Submit
memory/1280-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download