de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe
Size

526KB
MD5

81048765c2e3c10843188ef34947abcb
SHA1

e61fed8e34b1c338d0ef7141743cea82b46f9768
SHA256

de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e
SHA512

13e7f55425599da7f5e567075376cb1b380fc816310064d2831ec4847b9a3c2c451a1cb4eae8e1e31b03ccbe8150670e4466b9b2b3f877295b1258a2e9f8a333
SSDEEP

12288:Wkvpo70X4yQySH6u40Prkl84/0zGoPqLbI16MMcxwireV:WkR+0Xh46N+2czaPE6MHxw7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1904	QvodSetup5.exe
956	playseplay.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d0000000054a8-55.dat	upx
behavioral1/files/0x000d0000000054a8-57.dat	upx
behavioral1/files/0x000d0000000054a8-59.dat	upx
behavioral1/files/0x000b000000013473-60.dat	upx
behavioral1/files/0x000b000000013473-61.dat	upx
behavioral1/files/0x000b000000013473-63.dat	upx
behavioral1/files/0x000d0000000054a8-67.dat	upx
behavioral1/files/0x000d0000000054a8-66.dat	upx
behavioral1/files/0x000d0000000054a8-65.dat	upx
behavioral1/memory/1904-70-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/956-72-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1904-74-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral1/memory/956-75-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe
768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe
768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe
1904	QvodSetup5.exe
1904	QvodSetup5.exe
1904	QvodSetup5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
956	playseplay.exe
956	playseplay.exe
956	playseplay.exe
956	playseplay.exe
956	playseplay.exe
956	playseplay.exe
956	playseplay.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1904	QvodSetup5.exe
1904	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1904	QvodSetup5.exe
1904	QvodSetup5.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 1904	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	27
PID 768 wrote to memory of 956	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	28
PID 768 wrote to memory of 956	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	28
PID 768 wrote to memory of 956	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	28
PID 768 wrote to memory of 956	768	de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe	28

C:\Users\Admin\AppData\Local\Temp\de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe
"C:\Users\Admin\AppData\Local\Temp\de2945ae6269725ff8dbb7d4031e092fa68eb8f1db02847cc1c786d7bdf75e1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\playseplay.exe
  "C:\Users\Admin\AppData\Local\Temp\playseplay.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\playseplay.exe

Filesize
29KB

MD5
184e524dc519cf34d97edd71efd71118

SHA1
f516f41e404e7721c8b061d4cc7bb52a21d485ee

SHA256
991ba33f490239e7a774d2a0c31da4eaea659a6889ed73c87b91276c8a499b95

SHA512
c2c4e5c5e2dba8e8bafb21a897329a97a433ce28aa421f19c9c183044690e57e53805462474368076c3e9cd741f2cc30629bd4b81feca0f369f21aa21d143702

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
\Users\Admin\AppData\Local\Temp\playseplay.exe

Filesize
29KB

MD5
184e524dc519cf34d97edd71efd71118

SHA1
f516f41e404e7721c8b061d4cc7bb52a21d485ee

SHA256
991ba33f490239e7a774d2a0c31da4eaea659a6889ed73c87b91276c8a499b95

SHA512
c2c4e5c5e2dba8e8bafb21a897329a97a433ce28aa421f19c9c183044690e57e53805462474368076c3e9cd741f2cc30629bd4b81feca0f369f21aa21d143702

Download Submit
\Users\Admin\AppData\Local\Temp\playseplay.exe

Filesize
29KB

MD5
184e524dc519cf34d97edd71efd71118

SHA1
f516f41e404e7721c8b061d4cc7bb52a21d485ee

SHA256
991ba33f490239e7a774d2a0c31da4eaea659a6889ed73c87b91276c8a499b95

SHA512
c2c4e5c5e2dba8e8bafb21a897329a97a433ce28aa421f19c9c183044690e57e53805462474368076c3e9cd741f2cc30629bd4b81feca0f369f21aa21d143702

Download Submit
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/768-64-0x0000000000400000-0x0000000000485361-memory.dmp

Filesize
532KB

Download
memory/956-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/956-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1904-68-0x0000000000240000-0x0000000000327000-memory.dmp

Filesize
924KB

Download
memory/1904-69-0x0000000000240000-0x0000000000327000-memory.dmp

Filesize
924KB

Download
memory/1904-70-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1904-71-0x0000000000240000-0x0000000000327000-memory.dmp

Filesize
924KB

Download
memory/1904-73-0x0000000000240000-0x0000000000327000-memory.dmp

Filesize
924KB

Download
memory/1904-74-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download