df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 10:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
Size

232KB
MD5

96a38593ebeaa8626ec158c8080b9019
SHA1

7ba1cb02ae2051f2831c6b188bcb0928e84869a5
SHA256

df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c
SHA512

2d24d659a23d7f733c797100016d47850028a7fe5b1e562f800a6237725fd8bd981c76eb494f99a375c6776e52fe4bdbb57bae4ca0691d4ad45201dc9a1a213a
SSDEEP

3072:GtAKE9tF8lsa+QWYCs5fDF4LJSImbV8UvR77D9G5UEDVR/bwutUqQJ8tIq:G0tnQzbF4NN28UJ77hGGED/bbJtF

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qeifua.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	qeifua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe

Adds Run key to start application 2 TTPs 55 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /F"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /T"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /X"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /W"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /C"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /l"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /P"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /v"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /A"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /Q"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /V"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /t"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /N"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /j"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /e"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /q"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /h"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /U"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /i"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /G"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /p"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /d"	qeifua.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /M"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /H"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /b"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /y"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /g"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /o"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /m"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /K"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /w"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /Y"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /G"	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /J"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /B"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /r"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /O"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /S"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /u"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /z"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /n"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /D"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /Z"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /E"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /k"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /f"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /a"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /c"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /R"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /x"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /I"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /s"	qeifua.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qeifua = "C:\\Users\\Admin\\qeifua.exe /L"	qeifua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe
3716	qeifua.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
3716	qeifua.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3716	4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe	86
PID 4264 wrote to memory of 3716	4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe	86
PID 4264 wrote to memory of 3716	4264	df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe	86

C:\Users\Admin\AppData\Local\Temp\df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe
"C:\Users\Admin\AppData\Local\Temp\df38c880b1b23b9159ad155a964603c627c779e3574805c216eaad1d9223089c.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\qeifua.exe
  "C:\Users\Admin\qeifua.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qeifua.exe

Filesize
232KB

MD5
b4bc745b6f0bff977f8ad3aa7c3bf39f

SHA1
46d70e756a992b3c722ea469b703d5e550013050

SHA256
82bffe3aefe8727220d77d23104bdf2bd7aea51a54dc5df6881ce04f0c2c33d9

SHA512
fce08601699054ad77a31df0575e3dcb178acbb7eaac181a5ec8fcedf19664601c1f1a0be28fee23fb6c0ed5797bb6a8f1a649c764ebcb44e330ddae425d147c

Download Submit
C:\Users\Admin\qeifua.exe

Filesize
232KB

MD5
b4bc745b6f0bff977f8ad3aa7c3bf39f

SHA1
46d70e756a992b3c722ea469b703d5e550013050

SHA256
82bffe3aefe8727220d77d23104bdf2bd7aea51a54dc5df6881ce04f0c2c33d9

SHA512
fce08601699054ad77a31df0575e3dcb178acbb7eaac181a5ec8fcedf19664601c1f1a0be28fee23fb6c0ed5797bb6a8f1a649c764ebcb44e330ddae425d147c

Download Submit