31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2

Analysis

max time kernel
170s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan AR441 SHEETS.exe
Size

483KB
MD5

ae6e5c25ef61b57b0474c12fb74b9880
SHA1

feb3c0ced829b8ab62d94267f4ec0578ede5e58a
SHA256

31d9c25d965fa6de72c0c376159c19da21bc5dcd579bc038b2134d19b1ca9ab2
SHA512

0fc452ea778b13aa467a4e44e6d98896d319c32e147067fbf48ee86842b672b10cf8e571f9292fef429aea009c899851313c625b333b93edb2607c75853a2bcb
SSDEEP

12288:Wtm2gHDUkrFwT3OSwmucvWwfmRbBT3lhQvaMmgG9l:6gIIFwT3OcucUNwas

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Scan AR441 SHEETS.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Scan AR441 SHEETS.exe

Loads dropped DLL 1 IoCs

Processes:

Scan AR441 SHEETS.exe

pid process

1888 Scan AR441 SHEETS.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Scan AR441 SHEETS.exeScan AR441 SHEETS.exe

pid process

1888 Scan AR441 SHEETS.exe
1680 Scan AR441 SHEETS.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan AR441 SHEETS.exe

description pid process target process

PID 1888 set thread context of 1680 1888 Scan AR441 SHEETS.exe Scan AR441 SHEETS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Scan AR441 SHEETS.exe

pid process

1888 Scan AR441 SHEETS.exe

pid	process
1888	Scan AR441 SHEETS.exe

pid	process
1888	Scan AR441 SHEETS.exe
1680	Scan AR441 SHEETS.exe

description	pid	process	target process
PID 1888 set thread context of 1680	1888	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe

pid	process
1888	Scan AR441 SHEETS.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Scan AR441 SHEETS.exe

description	pid	process	target process
PID 1888 wrote to memory of 1680	1888	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 1888 wrote to memory of 1680	1888	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 1888 wrote to memory of 1680	1888	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe
PID 1888 wrote to memory of 1680	1888	Scan AR441 SHEETS.exe	Scan AR441 SHEETS.exe

C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe
"C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe
"C:\Users\Admin\AppData\Local\Temp\Scan AR441 SHEETS.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfEDA4.tmp\System.dll

Filesize
11KB

MD5
7399323923e3946fe9140132ac388132

SHA1
728257d06c452449b1241769b459f091aabcffc5

SHA256
5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3

SHA512
d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

Download Submit
memory/1680-140-0x0000000001660000-0x0000000001760000-memory.dmp

Filesize
1024KB

Download
memory/1680-145-0x0000000077110000-0x00000000772B3000-memory.dmp

Filesize
1.6MB

Download
memory/1680-143-0x0000000077110000-0x00000000772B3000-memory.dmp

Filesize
1.6MB

Download
memory/1680-142-0x00007FFAD0FB0000-0x00007FFAD11A5000-memory.dmp

Filesize
2.0MB

Download
memory/1680-137-0x0000000000000000-mapping.dmp

Download
memory/1680-141-0x0000000001660000-0x0000000001760000-memory.dmp

Filesize
1024KB

Download
memory/1680-138-0x0000000000400000-0x0000000001654000-memory.dmp

Filesize
18.3MB

Download
memory/1888-135-0x00007FFAD0FB0000-0x00007FFAD11A5000-memory.dmp

Filesize
2.0MB

Download
memory/1888-139-0x0000000077110000-0x00000000772B3000-memory.dmp

Filesize
1.6MB

Download
memory/1888-136-0x0000000077110000-0x00000000772B3000-memory.dmp

Filesize
1.6MB

Download
memory/1888-134-0x00000000051D0000-0x00000000052D1000-memory.dmp

Filesize
1.0MB

Download
memory/1888-144-0x00000000051D0000-0x00000000052D1000-memory.dmp

Filesize
1.0MB

Download
memory/1888-133-0x00000000051D0000-0x00000000052D1000-memory.dmp

Filesize
1.0MB

Download