43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0

General

Target

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
Size

1.2MB
MD5

174382a91a1a79be940f97befb379758
SHA1

bade41a40a3114a525732fcb261ff03546fbaeab
SHA256

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0
SHA512

a72e3e43b2c1c6facfc2e92255efba5ddd25876a612cc430045f312e192127fd5ad6174fea2bca159d40fa30a1c40e781b1b830fd60138f0ddc7006e2ee8035c
SSDEEP

24576:ARJ7/hVYXfCxS4y25pdA+UnJFqnb1QGRuYai9T8b+XN:ARJNVMfCxSUhA9Fqb1D8YaB+d

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SQ ÔÆÐÂÎÅ.exe

pid process

1928 SQ ÔÆÐÂÎÅ.exe

pid	process
1928	SQ ÔÆÐÂÎÅ.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1340-59-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-61-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-65-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-67-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-71-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-75-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-79-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-83-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-89-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-93-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-95-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-99-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-97-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-91-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-87-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-85-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-81-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-77-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-73-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-69-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-63-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-58-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-100-0x0000000010000000-0x0000000010038000-memory.dmp	upx
behavioral1/memory/1340-111-0x0000000010000000-0x0000000010038000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exeSQ ÔÆÐÂÎÅ.exe

pid process

1340 43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1928 SQ ÔÆÐÂÎÅ.exe
1928 SQ ÔÆÐÂÎÅ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SQ ÔÆÐÂÎÅ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SQ Platform = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SQ ÔÆÐÂÎÅ.exe ?(?3?)? ?,??????"	SQ ÔÆÐÂÎÅ.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

description ioc process

File opened (read-only) \??\D: 43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

Modifies registry class 2 IoCs

Processes:

SQ ÔÆÐÂÎÅ.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	SQ ÔÆÐÂÎÅ.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	SQ ÔÆÐÂÎÅ.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exeSQ ÔÆÐÂÎÅ.exe

pid	process
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1928	SQ ÔÆÐÂÎÅ.exe
1928	SQ ÔÆÐÂÎÅ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SQ ÔÆÐÂÎÅ.exe

pid process

1928 SQ ÔÆÐÂÎÅ.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SQ ÔÆÐÂÎÅ.exe

pid process

1928 SQ ÔÆÐÂÎÅ.exe

pid	process
1928	SQ ÔÆÐÂÎÅ.exe

pid	process
1928	SQ ÔÆÐÂÎÅ.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

pid	process
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe

description	pid	process	target process
PID 1340 wrote to memory of 1928	1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe	SQ ÔÆÐÂÎÅ.exe
PID 1340 wrote to memory of 1928	1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe	SQ ÔÆÐÂÎÅ.exe
PID 1340 wrote to memory of 1928	1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe	SQ ÔÆÐÂÎÅ.exe
PID 1340 wrote to memory of 1928	1340	43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe	SQ ÔÆÐÂÎÅ.exe

C:\Users\Admin\AppData\Local\Temp\43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe
"C:\Users\Admin\AppData\Local\Temp\43011d822451b210e6532fa0736ac196cdc64c196d2d1f2f876035c7c3c476c0.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
"C:\Users\Admin\AppData\Local\Temp\\SQ ÔÆÐÂÎÅ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
Filesize
224KB

MD5
d3ac5fe660b6aebdc61ac8ef6d20e417

SHA1
7f9f95ad571cecddecc6ce7e930ce53fcaef326a

SHA256
9a0b419550fb26aa732b326d673c4861133a94bb1fe6dc6936c9d104b31eef19

SHA512
85b01bb31f6a37c4f46938282a5b5f2b91d7e46f8494b49434c168c207a6e84cc1340733dbde07532a3755f03f6d7614c076ca92bbe26c150e2ae8d5f0f706f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
Filesize
224KB

MD5
d3ac5fe660b6aebdc61ac8ef6d20e417

SHA1
7f9f95ad571cecddecc6ce7e930ce53fcaef326a

SHA256
9a0b419550fb26aa732b326d673c4861133a94bb1fe6dc6936c9d104b31eef19

SHA512
85b01bb31f6a37c4f46938282a5b5f2b91d7e46f8494b49434c168c207a6e84cc1340733dbde07532a3755f03f6d7614c076ca92bbe26c150e2ae8d5f0f706f7

Download Submit
\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
Filesize
224KB

MD5
d3ac5fe660b6aebdc61ac8ef6d20e417

SHA1
7f9f95ad571cecddecc6ce7e930ce53fcaef326a

SHA256
9a0b419550fb26aa732b326d673c4861133a94bb1fe6dc6936c9d104b31eef19

SHA512
85b01bb31f6a37c4f46938282a5b5f2b91d7e46f8494b49434c168c207a6e84cc1340733dbde07532a3755f03f6d7614c076ca92bbe26c150e2ae8d5f0f706f7

Download Submit
\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
Filesize
224KB

MD5
d3ac5fe660b6aebdc61ac8ef6d20e417

SHA1
7f9f95ad571cecddecc6ce7e930ce53fcaef326a

SHA256
9a0b419550fb26aa732b326d673c4861133a94bb1fe6dc6936c9d104b31eef19

SHA512
85b01bb31f6a37c4f46938282a5b5f2b91d7e46f8494b49434c168c207a6e84cc1340733dbde07532a3755f03f6d7614c076ca92bbe26c150e2ae8d5f0f706f7

Download Submit
\Users\Admin\AppData\Local\Temp\SQ ÔÆÐÂÎÅ.exe
Filesize
224KB

MD5
d3ac5fe660b6aebdc61ac8ef6d20e417

SHA1
7f9f95ad571cecddecc6ce7e930ce53fcaef326a

SHA256
9a0b419550fb26aa732b326d673c4861133a94bb1fe6dc6936c9d104b31eef19

SHA512
85b01bb31f6a37c4f46938282a5b5f2b91d7e46f8494b49434c168c207a6e84cc1340733dbde07532a3755f03f6d7614c076ca92bbe26c150e2ae8d5f0f706f7

Download Submit
memory/1340-91-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-77-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-71-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-75-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-79-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-83-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-89-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-93-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-95-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-99-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-97-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1340-87-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-85-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-81-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-67-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-73-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-69-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-63-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-58-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-100-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-65-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-61-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-111-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-59-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1340-57-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/1340-55-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/1340-110-0x0000000000400000-0x0000000000902000-memory.dmp

Filesize
5.0MB

Download
memory/1928-109-0x0000000035110000-0x0000000035120000-memory.dmp

Filesize
64KB

Download
memory/1928-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads