8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0

General

Target

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
Size

63KB
MD5

450aa454ed5dca712b998868738d5870
SHA1

a26e9aa0d65ec4c439b37a04d1babb364d882812
SHA256

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0
SHA512

ded6917232bda2956244f6783d765247823f524cf4393d8e0d270cd6db2b97e48683794921ee504092a997533466551f94133daf579cee7cd8bf38521baa35ec
SSDEEP

768:AYNnyAQNuAGXBUdh0Xa3idGnFYRRxCHMr+0Wxepji9VIyZEg37P2wKHe:SNYsR/Fzsr+fqji97O3+

Score

8^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

sqtanvqkuec.exesqtanvqkuec.exe

pid process

772 sqtanvqkuec.exe
1068 sqtanvqkuec.exe

pid	process
772	sqtanvqkuec.exe
1068	sqtanvqkuec.exe

Drops startup file 4 IoCs

Processes:

sqtanvqkuec.exe8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÌÚÑ¶_QQ.lnk	sqtanvqkuec.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÌÚÑ¶_QQ.lnk	sqtanvqkuec.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgdtcpqpwe.lnk	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zgdtcpqpwe.lnk	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Drops file in Program Files directory 63 IoCs

Processes:

sqtanvqkuec.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	sqtanvqkuec.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	sqtanvqkuec.exe

Drops file in Windows directory 64 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	ioc	process
File opened for modification	C:\Windows\Media\Savanna\Windows Battery Low.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Exclamation.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Logon Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Navigation Start.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Raga\Windows Exclamation.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Delta\Windows Logoff Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Festival\Windows Information Bar.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Logon Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Information Bar.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Default.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Pop-up Blocked.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Delta\Windows Ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Characters\Windows Hardware Fail.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Feed Discovered.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Pop-up Blocked.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File created	C:\Windows\xvtlryquungu.exe	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Battery Low.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Hardware Insert.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Logoff Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Hardware Remove.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Logoff Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Raga\Windows Ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Raga\Windows Pop-up Blocked.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Hardware Remove.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Battery Critical.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Garden\Windows Logon Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\ir_end.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\ir_inter.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Information Bar.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Logon Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Logoff Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Pop-up Blocked.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Notify.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows User Account Control.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Festival\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Garden\Windows Hardware Fail.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Shutdown.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Festival\Windows Hardware Fail.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Exclamation.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Notify.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Critical Stop.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Error.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Characters\Windows Battery Low.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\chord.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Print complete.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Critical Stop.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Speech Off.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Error.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Battery Critical.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Cityscape\Windows Hardware Remove.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Festival\Windows Exclamation.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Garden\Windows Ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Raga\Windows Logon Sound.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Hardware Fail.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Hardware Remove.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Balloon.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Heritage\Windows Ding.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Default.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Savanna\Windows User Account Control.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Windows Critical Stop.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
File opened for modification	C:\Windows\Media\Festival\Windows Notify.wav	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exesqtanvqkuec.exesqtanvqkuec.exe

pid	process
1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
772	sqtanvqkuec.exe
772	sqtanvqkuec.exe
1068	sqtanvqkuec.exe
1068	sqtanvqkuec.exe
1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe

description	pid	process	target process
PID 1716 wrote to memory of 772	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 772	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 772	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 772	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 1068	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 1068	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 1068	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe
PID 1716 wrote to memory of 1068	1716	8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe	sqtanvqkuec.exe

C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
"C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe"
1⤵
- Drops startup file
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\sqtanvqkuec.exe
"C:\Windows\sqtanvqkuec.exe" rb
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\sqtanvqkuec.exe
"C:\Windows\sqtanvqkuec.exe" C:\Users\Admin\AppData\Local\Temp\8a5d99e7b48a82f731aacb85302c1ba1cbc0373133ef7f012b339842d955e8a0.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sqtanvqkuec.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
C:\Windows\sqtanvqkuec.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
C:\Windows\sqtanvqkuec.exe

Filesize
24KB

MD5
fcc9923bd3d2c1e6037cffab25f0942c

SHA1
9d033b75b836caf3e290be79eb8ee21557a3fd3d

SHA256
e2194857f3bd554f392875877462a08a65c59575ec83d16237beadf551e27478

SHA512
a2e5162d9e52c9e0f8ec5592b1a10ddd538feed99dd6dc438ff8b4e5e696bd0b8d9a78adb8d25f26dbbc1636916a592d6ae4df9eaa66ee86dcf91a1a9ba55e6e

Download Submit
memory/772-55-0x0000000000000000-mapping.dmp

Download
memory/1068-57-0x0000000000000000-mapping.dmp

Download
memory/1716-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads