2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574

Analysis

max time kernel
152s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
Size

156KB
MD5

63312be0311e6d05c06de72d82c92980
SHA1

e75cc1477f7532d3b9f413a18f7d5cade640d93b
SHA256

2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574
SHA512

7689cc4753d0b45d2305c3423352c3d952a3a608fec8b0dda74911d96b66c16a34ea16384c8724ba340770da9fe0825556f99f4f558ac46a056b90e4d134c70f
SSDEEP

3072:7vo0kPEdu3kSESulCVRgQPwU3MppI1zePMThBN4oQZiEYV:Doiu3ESul9LI1zeEhZWo

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qeoew.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	qeoew.exe

Loads dropped DLL 2 IoCs

pid	Process
908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /a"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /P"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /D"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /e"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /k"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /M"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /r"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /W"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /t"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /u"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /H"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /f"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /J"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /y"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /S"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /L"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /F"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /N"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /V"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /U"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /Y"	qeoew.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /o"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /B"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /b"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /d"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /h"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /m"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /Q"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /l"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /T"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /o"	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /C"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /w"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /G"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /A"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /i"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /E"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /s"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /j"	qeoew.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /n"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /c"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /v"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /O"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /K"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /g"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /q"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /I"	qeoew.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeoew = "C:\\Users\\Admin\\qeoew.exe /Z"	qeoew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe
1964	qeoew.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
1964	qeoew.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1964	908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe	27
PID 908 wrote to memory of 1964	908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe	27
PID 908 wrote to memory of 1964	908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe	27
PID 908 wrote to memory of 1964	908	2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe	27

C:\Users\Admin\AppData\Local\Temp\2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe
"C:\Users\Admin\AppData\Local\Temp\2a5212d565e16869e55a2c85d3cf2e915b59ef79d1552f80ec6c2aa5e6e9c574.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\qeoew.exe
  "C:\Users\Admin\qeoew.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qeoew.exe

Filesize
156KB

MD5
617450cd99b312dd3ece2d0482cf10c1

SHA1
dd5e2b82c2141d115147a01112f514df3da0ce82

SHA256
ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

SHA512
1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

Download Submit
C:\Users\Admin\qeoew.exe

Filesize
156KB

MD5
617450cd99b312dd3ece2d0482cf10c1

SHA1
dd5e2b82c2141d115147a01112f514df3da0ce82

SHA256
ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

SHA512
1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

Download Submit
\Users\Admin\qeoew.exe

Filesize
156KB

MD5
617450cd99b312dd3ece2d0482cf10c1

SHA1
dd5e2b82c2141d115147a01112f514df3da0ce82

SHA256
ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

SHA512
1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

Download Submit
\Users\Admin\qeoew.exe

Filesize
156KB

MD5
617450cd99b312dd3ece2d0482cf10c1

SHA1
dd5e2b82c2141d115147a01112f514df3da0ce82

SHA256
ebf01b3ec067a5540b94e005fa1929dc7153b62adfc880976690ab711e22a799

SHA512
1a7965044c992baca97a5020c2ae4dae2cd4e656282272ee8435fa73375b25c34ac50b2001764ee93cdfd65c288c35a65320070047b11878d2efcbc71cccfbf5

Download Submit
memory/908-56-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download