97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e

Analysis

max time kernel
104s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
Size

418KB
MD5

6cf0ff7f755b9fc0f35b107f0ae60e79
SHA1

b3e472a438e9335c828b5c17380b7ad554820595
SHA256

97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e
SHA512

98b4f8e0fe541d4f8b3ae236c1f5c770be8d49b45bbcd354c96a356e29b90585d6077ba60ba8a85d043137fbff19a571bca0a997a52f922068df43ea106b6c8f
SSDEEP

6144:PBXsRBP1ttbZO3l5QYktJKjAjTglZGE6w7ofGSsd97vbQI4FB+:+HPPz+AjUl56wVSsnF4D

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4688	Qhemaa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4884-132-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x0009000000022e3d-137.dat	upx
behavioral2/files/0x0009000000022e3d-138.dat	upx
behavioral2/memory/4688-140-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
File created	C:\Windows\Qhemaa.exe	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
File opened for modification	C:\Windows\Qhemaa.exe	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qhemaa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qhemaa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4396	4688	WerFault.exe	80

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	Qhemaa.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe
4688	Qhemaa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4688	Qhemaa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4688	4884	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe	80
PID 4884 wrote to memory of 4688	4884	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe	80
PID 4884 wrote to memory of 4688	4884	97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe	80

C:\Users\Admin\AppData\Local\Temp\97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe
"C:\Users\Admin\AppData\Local\Temp\97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\Qhemaa.exe
  C:\Windows\Qhemaa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 688
    3⤵
    - Program crash
    PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4688 -ip 4688
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Qhemaa.exe

Filesize
418KB

MD5
6cf0ff7f755b9fc0f35b107f0ae60e79

SHA1
b3e472a438e9335c828b5c17380b7ad554820595

SHA256
97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e

SHA512
98b4f8e0fe541d4f8b3ae236c1f5c770be8d49b45bbcd354c96a356e29b90585d6077ba60ba8a85d043137fbff19a571bca0a997a52f922068df43ea106b6c8f

Download Submit
C:\Windows\Qhemaa.exe

Filesize
418KB

MD5
6cf0ff7f755b9fc0f35b107f0ae60e79

SHA1
b3e472a438e9335c828b5c17380b7ad554820595

SHA256
97557589ea7b2a424e58e3b875e4ad45c5aa4ba49fe3f154aae081a77ba69f5e

SHA512
98b4f8e0fe541d4f8b3ae236c1f5c770be8d49b45bbcd354c96a356e29b90585d6077ba60ba8a85d043137fbff19a571bca0a997a52f922068df43ea106b6c8f

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
426B

MD5
57017105a32e4db659945e13b0522cb3

SHA1
6edb52954c4a3641ecad659c5a54da8f3f5c5ebc

SHA256
021490fead19c5957a90764184159b5fed0b70e455dceff1d79028f848bd3d0d

SHA512
a52245b8d5b383d19b4bf6a5932e20540733a36fd1be9188b8b21565bf5f62d7e41525a517942aafec326535c3f13634214e509a6e00c852ff5ff971112fd01b

Download Submit
memory/4688-136-0x0000000000000000-mapping.dmp

Download
memory/4688-140-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4688-145-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4688-147-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4884-132-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4884-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4884-139-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4884-146-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download