70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d

Analysis

max time kernel
157s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe
Size

412KB
MD5

29b91a8c1b5f6ee2ee190040f9c16977
SHA1

9c74f2f45743e81ffb9d621e801cde2ec9ebb495
SHA256

70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d
SHA512

cd9c0c013339cd1098bc16f65c52a5c12652caaf2b31c9f989cc15c28c3461f8d434930d1e24044fffbe1c14637004317329d1dc1e1cfb0ee3a3de3bbbb6cc08
SSDEEP

12288:6Ev1PnyMvotKR3yDoPMVGHTsqItqaXljnnIbnI6stkArNEXS2cNgbusSMU:6EhI62NWXncNgbusSMU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	HQqGkIT8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qoueci.exe

Executes dropped EXE 6 IoCs

pid	Process
716	HQqGkIT8.exe
2252	2tej.exe
1540	2tej.exe
2700	3tej.exe
2388	4tej.exe
2736	qoueci.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1540-145-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1540-148-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1540-149-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1540-150-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HQqGkIT8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /J"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /T"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /d"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /d"	HQqGkIT8.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /Z"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /k"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /f"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /O"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /v"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /i"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /U"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /D"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /t"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /X"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /u"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /e"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /w"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /I"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /c"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /C"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /G"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /N"	qoueci.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run\	HQqGkIT8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /B"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /Q"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /j"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /y"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /s"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /o"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /n"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /W"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /h"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /P"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /a"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /q"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /H"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /L"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /K"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /b"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /l"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /R"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /S"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /F"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /p"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /g"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /m"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /z"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /x"	qoueci.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoueci = "C:\\Users\\Admin\\qoueci.exe /E"	qoueci.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2252 set thread context of 1540	2252	2tej.exe	84
PID 2700 set thread context of 2864	2700	3tej.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1340	tasklist.exe
3068	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
716	HQqGkIT8.exe
716	HQqGkIT8.exe
1540	2tej.exe
1540	2tej.exe
2700	3tej.exe
2700	3tej.exe
1540	2tej.exe
1540	2tej.exe
716	HQqGkIT8.exe
716	HQqGkIT8.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe
2736	qoueci.exe
2736	qoueci.exe
1540	2tej.exe
1540	2tej.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	3tej.exe
Token: SeDebugPrivilege	2700	3tej.exe
Token: SeDebugPrivilege	1340	tasklist.exe
Token: SeDebugPrivilege	3068	tasklist.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe
716	HQqGkIT8.exe
2252	2tej.exe
2388	4tej.exe
2736	qoueci.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 716	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	80
PID 4216 wrote to memory of 716	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	80
PID 4216 wrote to memory of 716	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	80
PID 4216 wrote to memory of 2252	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	83
PID 4216 wrote to memory of 2252	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	83
PID 4216 wrote to memory of 2252	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	83
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 2252 wrote to memory of 1540	2252	2tej.exe	84
PID 4216 wrote to memory of 2700	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	85
PID 4216 wrote to memory of 2700	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	85
PID 4216 wrote to memory of 2700	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	85
PID 2700 wrote to memory of 2864	2700	3tej.exe	86
PID 2700 wrote to memory of 2864	2700	3tej.exe	86
PID 2700 wrote to memory of 2864	2700	3tej.exe	86
PID 2700 wrote to memory of 2864	2700	3tej.exe	86
PID 4216 wrote to memory of 2388	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	88
PID 4216 wrote to memory of 2388	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	88
PID 4216 wrote to memory of 2388	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	88
PID 716 wrote to memory of 2736	716	HQqGkIT8.exe	89
PID 716 wrote to memory of 2736	716	HQqGkIT8.exe	89
PID 716 wrote to memory of 2736	716	HQqGkIT8.exe	89
PID 716 wrote to memory of 4272	716	HQqGkIT8.exe	90
PID 716 wrote to memory of 4272	716	HQqGkIT8.exe	90
PID 716 wrote to memory of 4272	716	HQqGkIT8.exe	90
PID 4272 wrote to memory of 1340	4272	cmd.exe	92
PID 4272 wrote to memory of 1340	4272	cmd.exe	92
PID 4272 wrote to memory of 1340	4272	cmd.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 2736 wrote to memory of 1340	2736	qoueci.exe	92
PID 4216 wrote to memory of 2352	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	99
PID 4216 wrote to memory of 2352	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	99
PID 4216 wrote to memory of 2352	4216	70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe	99
PID 2352 wrote to memory of 3068	2352	cmd.exe	101
PID 2352 wrote to memory of 3068	2352	cmd.exe	101
PID 2352 wrote to memory of 3068	2352	cmd.exe	101
PID 2736 wrote to memory of 3068	2736	qoueci.exe	101
PID 2736 wrote to memory of 3068	2736	qoueci.exe	101

C:\Users\Admin\AppData\Local\Temp\70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe
"C:\Users\Admin\AppData\Local\Temp\70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\HQqGkIT8.exe
  C:\Users\Admin\HQqGkIT8.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\qoueci.exe
    "C:\Users\Admin\qoueci.exe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del HQqGkIT8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1340
- C:\Users\Admin\2tej.exe
  C:\Users\Admin\2tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\2tej.exe
    "C:\Users\Admin\2tej.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1540
- C:\Users\Admin\3tej.exe
  C:\Users\Admin\3tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2864
- C:\Users\Admin\4tej.exe
  C:\Users\Admin\4tej.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c tasklist&&del 70cce7995dad0582f82b67909c816df90b8d757e58d4f078b7690c7049971b3d.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2tej.exe

Filesize
64KB

MD5
1b98630662dace204c7a75ac06ab322f

SHA1
f2ebc161d140ce66753f49bf505060216996cdd2

SHA256
88cec7cae39b32f0efa22677b747b6361d70ae8768553e57a8c6ae85b8965650

SHA512
430db374527ff2cc413fe1d2635aa0c1afe3aab3a7e8595988cc2a9816e9b0c1d7b5a9b863f77ed6ed27a718fd08bc6582a8a00b022de23209ce89a93aa524e0

Download Submit
C:\Users\Admin\2tej.exe

Filesize
64KB

MD5
1b98630662dace204c7a75ac06ab322f

SHA1
f2ebc161d140ce66753f49bf505060216996cdd2

SHA256
88cec7cae39b32f0efa22677b747b6361d70ae8768553e57a8c6ae85b8965650

SHA512
430db374527ff2cc413fe1d2635aa0c1afe3aab3a7e8595988cc2a9816e9b0c1d7b5a9b863f77ed6ed27a718fd08bc6582a8a00b022de23209ce89a93aa524e0

Download Submit
C:\Users\Admin\2tej.exe

Filesize
64KB

MD5
1b98630662dace204c7a75ac06ab322f

SHA1
f2ebc161d140ce66753f49bf505060216996cdd2

SHA256
88cec7cae39b32f0efa22677b747b6361d70ae8768553e57a8c6ae85b8965650

SHA512
430db374527ff2cc413fe1d2635aa0c1afe3aab3a7e8595988cc2a9816e9b0c1d7b5a9b863f77ed6ed27a718fd08bc6582a8a00b022de23209ce89a93aa524e0

Download Submit
C:\Users\Admin\3tej.exe

Filesize
204KB

MD5
666d8f00ccb49a2a23b174aa89c06ec2

SHA1
150f8e4aa5fbfb0df6f33a44885e46d43e789800

SHA256
c5d928569c84226a1737d057354a31e5019b464fb7093f1780e5116b486d5e5a

SHA512
0615f336b637db2041331660a98ebae4d36412c4bca64bb268f87cd20160ddf8a11eba097cd19333f1084bf81808b5e6647364cc88e87f85fa1848686881295f

Download Submit
C:\Users\Admin\3tej.exe

Filesize
204KB

MD5
666d8f00ccb49a2a23b174aa89c06ec2

SHA1
150f8e4aa5fbfb0df6f33a44885e46d43e789800

SHA256
c5d928569c84226a1737d057354a31e5019b464fb7093f1780e5116b486d5e5a

SHA512
0615f336b637db2041331660a98ebae4d36412c4bca64bb268f87cd20160ddf8a11eba097cd19333f1084bf81808b5e6647364cc88e87f85fa1848686881295f

Download Submit
C:\Users\Admin\4tej.exe

Filesize
44KB

MD5
a60c9c8d5563e0004be44141724b18c9

SHA1
b48757d94346720a169e1e13f0c58d7607040b84

SHA256
98f93a5fb1a578891416f057159de059e1a67228ac3c9e1196ff84706d594d2d

SHA512
bf26c8ec4a916e9dbbbdd881f2f598c4e2f6d560f1ccf27cd36377134c4c12c6505d0a00ab4e779a3b8b44021c2ec85658440b4e44d713fda86b6cdaa20bcb88

Download Submit
C:\Users\Admin\4tej.exe

Filesize
44KB

MD5
a60c9c8d5563e0004be44141724b18c9

SHA1
b48757d94346720a169e1e13f0c58d7607040b84

SHA256
98f93a5fb1a578891416f057159de059e1a67228ac3c9e1196ff84706d594d2d

SHA512
bf26c8ec4a916e9dbbbdd881f2f598c4e2f6d560f1ccf27cd36377134c4c12c6505d0a00ab4e779a3b8b44021c2ec85658440b4e44d713fda86b6cdaa20bcb88

Download Submit
C:\Users\Admin\HQqGkIT8.exe

Filesize
292KB

MD5
f303cad3eb27fbe3210de3ceba0c383a

SHA1
2d6ee904f441820825872e6a1c25602bbc3f4fc7

SHA256
27ad34b399adb9be6b710ea1c3e43924d352f12b28459f5bbf1a4e99d62ab134

SHA512
b3cde21a385943fd5c5768dc842769307eef749c26847ca6109bb0ffe866fdbe6fd8f8564aa6390fddc5ce70371b342da9bfc37b6dd934f3b3d0a315e7476b0d

Download Submit
C:\Users\Admin\HQqGkIT8.exe

Filesize
292KB

MD5
f303cad3eb27fbe3210de3ceba0c383a

SHA1
2d6ee904f441820825872e6a1c25602bbc3f4fc7

SHA256
27ad34b399adb9be6b710ea1c3e43924d352f12b28459f5bbf1a4e99d62ab134

SHA512
b3cde21a385943fd5c5768dc842769307eef749c26847ca6109bb0ffe866fdbe6fd8f8564aa6390fddc5ce70371b342da9bfc37b6dd934f3b3d0a315e7476b0d

Download Submit
C:\Users\Admin\qoueci.exe

Filesize
292KB

MD5
3f6ba74ac982bc1407acc7b94bfc21f4

SHA1
766961c38190c46f280e5cc8ed6ba04a5bcb4ce6

SHA256
e28d85acc5e2689ad848be1106bd4d757eae3aa6b49af0c23cf35b679090b01d

SHA512
b2749bfcee57315fc208092167aa0b8cd634f8464873c955f103b4fb33c76fb69cf2b03b39fb384b740387724f1862f5fadf8dd9b976de1fec696408d7828c90

Download Submit
C:\Users\Admin\qoueci.exe

Filesize
292KB

MD5
3f6ba74ac982bc1407acc7b94bfc21f4

SHA1
766961c38190c46f280e5cc8ed6ba04a5bcb4ce6

SHA256
e28d85acc5e2689ad848be1106bd4d757eae3aa6b49af0c23cf35b679090b01d

SHA512
b2749bfcee57315fc208092167aa0b8cd634f8464873c955f103b4fb33c76fb69cf2b03b39fb384b740387724f1862f5fadf8dd9b976de1fec696408d7828c90

Download Submit
memory/1540-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1540-148-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1540-149-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1540-150-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2700-155-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/2700-157-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download
memory/2700-154-0x0000000030670000-0x00000000306A3000-memory.dmp

Filesize
204KB

Download