Analysis
-
max time kernel
188s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:39
Static task
static1
Behavioral task
behavioral1
Sample
79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe
-
Size
54KB
-
MD5
08ac5f5b08ae8a2ed567130fe674f809
-
SHA1
35ce31d3c1ebf89014eacdd23b1664e2aa8ae5f8
-
SHA256
79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63
-
SHA512
6a9c3694bde7c1aa25eec79bb2c209508aa393df8c025a5875d491c4c8c8398737bd84c36fe7457bb5877429a4686bcf9e998e1d337b61fcd43970ac95745ea0
-
SSDEEP
1536:3hggsNSY1ObCYUXhXAXzXakcUckn98kMEW7jI:OHG0kcUckn98kMEk
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" luiqii.exe -
Executes dropped EXE 1 IoCs
pid Process 4360 luiqii.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ luiqii.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\luiqii = "C:\\Users\\Admin\\luiqii.exe" luiqii.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe 4360 luiqii.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1392 79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe 4360 luiqii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 4360 1392 79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe 81 PID 1392 wrote to memory of 4360 1392 79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe 81 PID 1392 wrote to memory of 4360 1392 79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe 81 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80 PID 4360 wrote to memory of 1392 4360 luiqii.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe"C:\Users\Admin\AppData\Local\Temp\79f64ffce036c5941a77e414018267c82a196b7d83fcf60379217e04fba7cd63.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\luiqii.exe"C:\Users\Admin\luiqii.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54KB
MD518df261c00ac4d1f49e3cff72afdda32
SHA14da18a2f7161e2d56f548b112230e0b85a0bf846
SHA256c415723b7cd50f34ee748cbdff9f3c47d0355f0c308add47705ca8ecea38ec93
SHA51225d4094305c328cb2efbbf79e8ee4292226f159ffb580a901f44710aa4a7fa28e0b7cc145f7be23976a6f8f8014575a30aa91a222be58426d1dd3e65e6a27a27
-
Filesize
54KB
MD518df261c00ac4d1f49e3cff72afdda32
SHA14da18a2f7161e2d56f548b112230e0b85a0bf846
SHA256c415723b7cd50f34ee748cbdff9f3c47d0355f0c308add47705ca8ecea38ec93
SHA51225d4094305c328cb2efbbf79e8ee4292226f159ffb580a901f44710aa4a7fa28e0b7cc145f7be23976a6f8f8014575a30aa91a222be58426d1dd3e65e6a27a27