Overview

overview

10

Static

static

7529842af6...41.exe

windows7-x64

10

7529842af6...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7529842af692dcff5882d0255ad3dacc85202edc964e906c68c82037e33b7f41.exe

  • Size

    316KB

  • MD5

    42b28e3768d82add2333264859336e9c

  • SHA1

    accd4c5eb16a46563ebe77551c5dcab0656bd235

  • SHA256

    7529842af692dcff5882d0255ad3dacc85202edc964e906c68c82037e33b7f41

  • SHA512

    b21a61fa46e2b9a7086bb2c000263811f1f23b19ce262c2e3bc547367c472a938eb0b2c7e0917ba58893fceb83f9da479effc814ac1985dbbc2253bd1eeea152

  • SSDEEP

    6144:6MfP4Psq8gFV91GGGLVTmrshXj0MQH1DUhu1GJu+DODryKnKx:xuUgFV6Hm1JKx

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7529842af692dcff5882d0255ad3dacc85202edc964e906c68c82037e33b7f41.exe
    "C:\Users\Admin\AppData\Local\Temp\7529842af692dcff5882d0255ad3dacc85202edc964e906c68c82037e33b7f41.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\qyfix.exe
      "C:\Users\Admin\qyfix.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1076

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qyfix.exe
    Filesize

    316KB

    MD5

    e71e9ff4b802068064b737683d5489f6

    SHA1

    65d1e29c42a5b6b0184d16d733f8cf26c8060bae

    SHA256

    4467e98be8fd5ff88b5b2d8fc4497e8068199604df085bbdcfffbb3553130455

    SHA512

    515c7866c70720e4b3e4c03506b81b966ed7115cc6992172fe688f270c34f067851241562f745e78329c642d330d6f365d102408eb5320173625b12536dfde3d

    Download Submit

  • C:\Users\Admin\qyfix.exe
    Filesize

    316KB

    MD5

    e71e9ff4b802068064b737683d5489f6

    SHA1

    65d1e29c42a5b6b0184d16d733f8cf26c8060bae

    SHA256

    4467e98be8fd5ff88b5b2d8fc4497e8068199604df085bbdcfffbb3553130455

    SHA512

    515c7866c70720e4b3e4c03506b81b966ed7115cc6992172fe688f270c34f067851241562f745e78329c642d330d6f365d102408eb5320173625b12536dfde3d

    Download Submit