2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
Size

244KB
MD5

92afb470fb1b50c120850585b3380810
SHA1

df0c209e7cc8c66647a03e1a9fcfcbe7ab3acbd5
SHA256

2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780
SHA512

3cbf2c22b4413d424b606a188528779c4957972e79564a42d33b2ee7c6a6a3cfa17b8543b33811db75eca8ac4f411cd219d758c38692f318473b6ac817a5dff8
SSDEEP

3072:FO9OixU3uv1FFaTdFnb6/WH6H/AC1toEc/fQbxM:FOxU3umdFnbTa1cQ+

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qoooh.exe

Executes dropped EXE 1 IoCs

pid	Process
5024	qoooh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /b"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /v"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /t"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /p"	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /h"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /j"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /f"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /v"	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /d"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /l"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /g"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /n"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /p"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /a"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /q"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /r"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /k"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /n"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /j"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /w"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /b"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /k"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /a"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /x"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /x"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /m"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /s"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /q"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /r"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /p"	qoooh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /z"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /t"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /f"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /h"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /y"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /w"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /u"	qoooh.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /c"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /l"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /i"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /s"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /o"	qoooh.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /g"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /e"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /o"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /i"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /m"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /z"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /e"	qoooh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /c"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /v"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /d"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /y"	qoooh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoooh = "C:\\Users\\Admin\\qoooh.exe /u"	qoooh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe
5024	qoooh.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
5024	qoooh.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 5024	1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe	81
PID 1660 wrote to memory of 5024	1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe	81
PID 1660 wrote to memory of 5024	1660	2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe	81

C:\Users\Admin\AppData\Local\Temp\2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe
"C:\Users\Admin\AppData\Local\Temp\2b511e87e6ce455cd0ed7fa2c92073eb9c0fa05a868fec72899305e060bd9780.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\qoooh.exe
  "C:\Users\Admin\qoooh.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qoooh.exe

Filesize
244KB

MD5
1452ff57f06aae646251ccdf1584cf6c

SHA1
0783153513a81664574e07836bf6ffa2d7c006ea

SHA256
b3e5b4acff4b38e50961bb5400c781d04e0fc07f3c440b57e9521af21a14c190

SHA512
fbbcbc55417e2118e99035d105f68ea51fe95b0b208b07d7ec2a6c514eca062880c8ba219838c0b36e1e148acb84d6e3632269341d49b641031445a45a110edd

Download Submit
C:\Users\Admin\qoooh.exe

Filesize
244KB

MD5
1452ff57f06aae646251ccdf1584cf6c

SHA1
0783153513a81664574e07836bf6ffa2d7c006ea

SHA256
b3e5b4acff4b38e50961bb5400c781d04e0fc07f3c440b57e9521af21a14c190

SHA512
fbbcbc55417e2118e99035d105f68ea51fe95b0b208b07d7ec2a6c514eca062880c8ba219838c0b36e1e148acb84d6e3632269341d49b641031445a45a110edd

Download Submit