40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe
Size

300KB
MD5

0f7db5927bc419bab5564525305e1d86
SHA1

7b34ad50467d2a4b6b4dd6d38d6226cee8527d4a
SHA256

40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9
SHA512

ea08780f4ce0552d349c05f06a69f1d3d097a1c4bd4103f0fc05c3ecb7cab9f8921fd47ca1545d0ff2afac53f2dd3bf3250be2888614b472b576e8a7c409f4ba
SSDEEP

6144:qWT09e4ZEG29fr/wDSBEA5Dk1RxKLeql1gsbXrwAbvUc:qVrZN29fr/KMEvRkLeqrgsbXrwAbvUc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qoairah.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	qoairah.exe

Loads dropped DLL 2 IoCs

pid	Process
1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe
1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /o"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /s"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /q"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /Z"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /l"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /g"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /Q"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /A"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /j"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /x"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /a"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /U"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /L"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /P"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /v"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /V"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /D"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /W"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /M"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /w"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /p"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /k"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /G"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /Y"	qoairah.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /u"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /O"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /m"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /f"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /E"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /S"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /r"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /b"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /K"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /i"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /z"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /J"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /N"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /F"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /c"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /R"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /y"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /H"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /T"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /I"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /n"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /B"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /h"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /t"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /e"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /d"	qoairah.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoairah = "C:\\Users\\Admin\\qoairah.exe /C"	qoairah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe
2044	qoairah.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe
2044	qoairah.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 2044	1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe	27
PID 1264 wrote to memory of 2044	1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe	27
PID 1264 wrote to memory of 2044	1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe	27
PID 1264 wrote to memory of 2044	1264	40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe	27

C:\Users\Admin\AppData\Local\Temp\40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe
"C:\Users\Admin\AppData\Local\Temp\40489cc9ae6cb958cabcdb953672cece52d6e2aa526d8fa869b4c5053ecad8e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\qoairah.exe
  "C:\Users\Admin\qoairah.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qoairah.exe

Filesize
300KB

MD5
2325a3bb5bc5c06ee1d873a821fa3859

SHA1
186db2110d04263e5701b51ba0d7b767c4f1c587

SHA256
bdf23dc14671593845187afa986baf5ec4c6e6daf3cd49327b8ef6c1fb8bd8a8

SHA512
9e57ce5a81bb5fab97d79b4921c59e77e1bcca2d2f74f9a3f42b4ceb006f8660453c451ef5183ef40b2906ad0566ca5d3bd14935e781e1eda1474e91b84d816c

Download Submit
C:\Users\Admin\qoairah.exe

Filesize
300KB

MD5
2325a3bb5bc5c06ee1d873a821fa3859

SHA1
186db2110d04263e5701b51ba0d7b767c4f1c587

SHA256
bdf23dc14671593845187afa986baf5ec4c6e6daf3cd49327b8ef6c1fb8bd8a8

SHA512
9e57ce5a81bb5fab97d79b4921c59e77e1bcca2d2f74f9a3f42b4ceb006f8660453c451ef5183ef40b2906ad0566ca5d3bd14935e781e1eda1474e91b84d816c

Download Submit
\Users\Admin\qoairah.exe

Filesize
300KB

MD5
2325a3bb5bc5c06ee1d873a821fa3859

SHA1
186db2110d04263e5701b51ba0d7b767c4f1c587

SHA256
bdf23dc14671593845187afa986baf5ec4c6e6daf3cd49327b8ef6c1fb8bd8a8

SHA512
9e57ce5a81bb5fab97d79b4921c59e77e1bcca2d2f74f9a3f42b4ceb006f8660453c451ef5183ef40b2906ad0566ca5d3bd14935e781e1eda1474e91b84d816c

Download Submit
\Users\Admin\qoairah.exe

Filesize
300KB

MD5
2325a3bb5bc5c06ee1d873a821fa3859

SHA1
186db2110d04263e5701b51ba0d7b767c4f1c587

SHA256
bdf23dc14671593845187afa986baf5ec4c6e6daf3cd49327b8ef6c1fb8bd8a8

SHA512
9e57ce5a81bb5fab97d79b4921c59e77e1bcca2d2f74f9a3f42b4ceb006f8660453c451ef5183ef40b2906ad0566ca5d3bd14935e781e1eda1474e91b84d816c

Download Submit
memory/1264-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download