8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
Size

204KB
MD5

91b230127ce626594410ecb660128338
SHA1

bca8dc60afa401a7337c80f4fae98bbdc175f133
SHA256

8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4
SHA512

57cf70441dd60f856cce29847adc2a3f476e70fc7e1fd335f59d23ddda5ec3846cec80cfe3a826dd84fa933cc014c8bc4fdea8ba328dbc2fd51d344f20e42bd7
SSDEEP

1536:BG+OoSHo1vzxHwx5xNy3tQ9CW5EZWHakMwP9W6uXNh9h1AWa11GBPIdRONd+w61J:mHo1w0tQ9nLHbB9WTk9+JgqmlZ/T

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qeukin.exe

Executes dropped EXE 1 IoCs

pid	Process
1696	qeukin.exe

Loads dropped DLL 2 IoCs

pid	Process
1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /t"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /y"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /n"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /a"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /p"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /c"	qeukin.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /d"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /v"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /r"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /o"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /f"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /m"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /z"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /x"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /i"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /q"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /j"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /k"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /g"	qeukin.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /l"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /b"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /w"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /h"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /n"	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /e"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /s"	qeukin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeukin = "C:\\Users\\Admin\\qeukin.exe /u"	qeukin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe
1696	qeukin.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
1696	qeukin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1696	1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe	27
PID 1808 wrote to memory of 1696	1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe	27
PID 1808 wrote to memory of 1696	1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe	27
PID 1808 wrote to memory of 1696	1808	8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe	27

C:\Users\Admin\AppData\Local\Temp\8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe
"C:\Users\Admin\AppData\Local\Temp\8c598321368a8958cd8c735bf6b03f0e17369ebcc9924cfead013410745e96b4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\qeukin.exe
  "C:\Users\Admin\qeukin.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qeukin.exe

Filesize
204KB

MD5
240c6685ece5e3a82160009af952f6bf

SHA1
ee703a25529bed2ec900a2a1b69fdbad159cba12

SHA256
a194990f2b1a12d5150e7728be37ed71c2b659289895f27cdb184abc4a9600ac

SHA512
a52e6ba4268b4d008e98e02ad3db33c73dfcdf7799ad31e0b6b8a00d14322f7b17305384ad3d66fa67b04ade790ae46a036a37809df9771727bd95c68c1d12f1

Download Submit
C:\Users\Admin\qeukin.exe

Filesize
204KB

MD5
240c6685ece5e3a82160009af952f6bf

SHA1
ee703a25529bed2ec900a2a1b69fdbad159cba12

SHA256
a194990f2b1a12d5150e7728be37ed71c2b659289895f27cdb184abc4a9600ac

SHA512
a52e6ba4268b4d008e98e02ad3db33c73dfcdf7799ad31e0b6b8a00d14322f7b17305384ad3d66fa67b04ade790ae46a036a37809df9771727bd95c68c1d12f1

Download Submit
\Users\Admin\qeukin.exe

Filesize
204KB

MD5
240c6685ece5e3a82160009af952f6bf

SHA1
ee703a25529bed2ec900a2a1b69fdbad159cba12

SHA256
a194990f2b1a12d5150e7728be37ed71c2b659289895f27cdb184abc4a9600ac

SHA512
a52e6ba4268b4d008e98e02ad3db33c73dfcdf7799ad31e0b6b8a00d14322f7b17305384ad3d66fa67b04ade790ae46a036a37809df9771727bd95c68c1d12f1

Download Submit
\Users\Admin\qeukin.exe

Filesize
204KB

MD5
240c6685ece5e3a82160009af952f6bf

SHA1
ee703a25529bed2ec900a2a1b69fdbad159cba12

SHA256
a194990f2b1a12d5150e7728be37ed71c2b659289895f27cdb184abc4a9600ac

SHA512
a52e6ba4268b4d008e98e02ad3db33c73dfcdf7799ad31e0b6b8a00d14322f7b17305384ad3d66fa67b04ade790ae46a036a37809df9771727bd95c68c1d12f1

Download Submit
memory/1696-59-0x0000000000000000-mapping.dmp

Download
memory/1808-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download