ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

General

Target

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
Size

394KB
MD5

7a35101aad6d97ec448aeae1c4ce23ba
SHA1

49b5ff89c61620328f2cb4b77319dc85b1460997
SHA256

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a
SHA512

61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c
SSDEEP

6144:/XklIFkOBUXUlhtsN8LsCUDJk7lymC+xiz+TLJ2edKOVVdk3VMLF9Hlgd/J7SvL5:BUEloN8gNDePVxiK2uKqklUDlSRkL5

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2891029575-1462575-1165213807-1000\RECOVERfysqm.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D48285AC525BFFD http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D48285AC525BFFD http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D48285AC525BFFD If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/D48285AC525BFFD 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D48285AC525BFFD http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D48285AC525BFFD http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D48285AC525BFFD Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/D48285AC525BFFD Your personal identification ID: D48285AC525BFFD

URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/D48285AC525BFFD

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/D48285AC525BFFD

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/D48285AC525BFFD

http://k7tlx3ghr3m4n2tu.onion/D48285AC525BFFD

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

qdodgq.exeqdodgq.exe

pid process

1156 qdodgq.exe
3620 qdodgq.exe

pid	process
1156	qdodgq.exe
3620	qdodgq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exeqdodgq.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	qdodgq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qdodgq.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	qdodgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_eyed = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Users\\Admin\\Documents\\qdodgq.exe"	qdodgq.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exeqdodgq.exe

description	pid	process	target process
PID 2384 set thread context of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 1156 set thread context of 3620	1156	qdodgq.exe	qdodgq.exe

Drops file in Program Files directory 64 IoCs

Processes:

qdodgq.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	qdodgq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\applet\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png	qdodgq.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Internet Explorer\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	qdodgq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png	qdodgq.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png	qdodgq.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RECOVERfysqm.html	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\RECOVERfysqm.png	qdodgq.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\RECOVERfysqm.txt	qdodgq.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\RECOVERfysqm.txt	qdodgq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2036 vssadmin.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

qdodgq.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\trueimg qdodgq.exe

pid	process
2036	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\trueimg	qdodgq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qdodgq.exe

pid	process
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe
3620	qdodgq.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

qdodgq.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3620	qdodgq.exe
Token: SeBackupPrivilege	668	vssvc.exe
Token: SeRestorePrivilege	668	vssvc.exe
Token: SeAuditPrivilege	668	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exead32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exeqdodgq.exeqdodgq.exe

description	pid	process	target process
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 2384 wrote to memory of 5076	2384	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
PID 5076 wrote to memory of 1156	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	qdodgq.exe
PID 5076 wrote to memory of 1156	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	qdodgq.exe
PID 5076 wrote to memory of 1156	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	qdodgq.exe
PID 5076 wrote to memory of 524	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 5076 wrote to memory of 524	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 5076 wrote to memory of 524	5076	ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe	cmd.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 1156 wrote to memory of 3620	1156	qdodgq.exe	qdodgq.exe
PID 3620 wrote to memory of 2036	3620	qdodgq.exe	vssadmin.exe
PID 3620 wrote to memory of 2036	3620	qdodgq.exe	vssadmin.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

qdodgq.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qdodgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	qdodgq.exe

C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
"C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe
"C:\Users\Admin\AppData\Local\Temp\ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\Documents\qdodgq.exe
C:\Users\Admin\Documents\qdodgq.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\Documents\qdodgq.exe
C:\Users\Admin\Documents\qdodgq.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3620

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\AD32F2~1.EXE >> NUL
3⤵
PID:524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\qdodgq.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
C:\Users\Admin\Documents\qdodgq.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
C:\Users\Admin\Documents\qdodgq.exe
Filesize
394KB

MD5
7a35101aad6d97ec448aeae1c4ce23ba

SHA1
49b5ff89c61620328f2cb4b77319dc85b1460997

SHA256
ad32f22bde25453f1ac5956c8c46a7f04218b239e816790dae4d0a0a69c9f01a

SHA512
61d60b11d3166cfa83d6021545b833c696f0e622b4820f54b27f2d9d3e9406b60ad6f266c006820bfe4523267e893da8067d8a89467b7765728b7383ddec811c

Download Submit
memory/524-146-0x0000000000000000-mapping.dmp

Download
memory/1156-144-0x0000000000530000-0x0000000000536000-memory.dmp

Filesize
24KB

Download
memory/1156-141-0x0000000000000000-mapping.dmp

Download
memory/2036-156-0x0000000000000000-mapping.dmp

Download
memory/2384-137-0x00000000021F0000-0x00000000021F6000-memory.dmp

Filesize
24KB

Download
memory/2384-133-0x00000000021F0000-0x00000000021F6000-memory.dmp

Filesize
24KB

Download
memory/2384-132-0x00000000021F0000-0x00000000021F6000-memory.dmp

Filesize
24KB

Download
memory/3620-153-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3620-149-0x0000000000000000-mapping.dmp

Download
memory/3620-157-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3620-155-0x0000000074D20000-0x0000000074D59000-memory.dmp

Filesize
228KB

Download
memory/3620-154-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3620-152-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-134-0x0000000000000000-mapping.dmp

Download
memory/5076-148-0x0000000074CF0000-0x0000000074D29000-memory.dmp

Filesize
228KB

Download
memory/5076-140-0x0000000074CF0000-0x0000000074D29000-memory.dmp

Filesize
228KB

Download
memory/5076-147-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-135-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5076-136-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads