91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46

Analysis

max time kernel
256s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
Size

116KB
MD5

849ab20ef51d6fa7da916bf5844bd85a
SHA1

8b0eedaa049c2d56c48a811dd959ec3710669a7a
SHA256

91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46
SHA512

a1cd989d59fbc773f6ed19c124d5a314bc42c808831bd165ac6901d49ce0d7a73a2a6e19a806065ac9baff7f84e96878750ad5ba7d3363227441b493f8f7aa86
SSDEEP

3072:+0T94Xnr99Rx7D/ONLd01eWkVkMfwdsSB0W+A:nZ477D2NLd01eWkVkMfwdJSW+A

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qeolees.exe

Executes dropped EXE 1 IoCs

pid	Process
604	qeolees.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /e"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /p"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /b"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /s"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /t"	qeolees.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /r"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /w"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /l"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /r"	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /v"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /j"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /q"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /z"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /d"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /y"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /a"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /o"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /c"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /m"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /k"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /g"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /x"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /i"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /f"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /n"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /u"	qeolees.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\qeolees = "C:\\Users\\Admin\\qeolees.exe /h"	qeolees.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe
604	qeolees.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
604	qeolees.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 604	1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe	28
PID 1500 wrote to memory of 604	1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe	28
PID 1500 wrote to memory of 604	1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe	28
PID 1500 wrote to memory of 604	1500	91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe	28

C:\Users\Admin\AppData\Local\Temp\91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe
"C:\Users\Admin\AppData\Local\Temp\91d05228129ca3826e18bd0c80f9118c93e55f7c7015a170f1e96443548a4b46.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\qeolees.exe
  "C:\Users\Admin\qeolees.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qeolees.exe

Filesize
116KB

MD5
60ff331b4bc4b1ce052b6b27d4c71a14

SHA1
16b4700fddf6ef09f65b36d05a13ee1bcc2848dd

SHA256
af27c64a21ad74e3aaf682fcdfa5050b0800aa61e05d21ad61c057fa40ebe59c

SHA512
5df0133e807c034c6e15141f38cb71b476066f01af934a8acf9f732bdd8d253014975b4206b6a9077c907dd999fe872e3d937286967aaf69be19c9d0c6f17b6b

Download Submit
C:\Users\Admin\qeolees.exe

Filesize
116KB

MD5
60ff331b4bc4b1ce052b6b27d4c71a14

SHA1
16b4700fddf6ef09f65b36d05a13ee1bcc2848dd

SHA256
af27c64a21ad74e3aaf682fcdfa5050b0800aa61e05d21ad61c057fa40ebe59c

SHA512
5df0133e807c034c6e15141f38cb71b476066f01af934a8acf9f732bdd8d253014975b4206b6a9077c907dd999fe872e3d937286967aaf69be19c9d0c6f17b6b

Download Submit
\Users\Admin\qeolees.exe

Filesize
116KB

MD5
60ff331b4bc4b1ce052b6b27d4c71a14

SHA1
16b4700fddf6ef09f65b36d05a13ee1bcc2848dd

SHA256
af27c64a21ad74e3aaf682fcdfa5050b0800aa61e05d21ad61c057fa40ebe59c

SHA512
5df0133e807c034c6e15141f38cb71b476066f01af934a8acf9f732bdd8d253014975b4206b6a9077c907dd999fe872e3d937286967aaf69be19c9d0c6f17b6b

Download Submit
\Users\Admin\qeolees.exe

Filesize
116KB

MD5
60ff331b4bc4b1ce052b6b27d4c71a14

SHA1
16b4700fddf6ef09f65b36d05a13ee1bcc2848dd

SHA256
af27c64a21ad74e3aaf682fcdfa5050b0800aa61e05d21ad61c057fa40ebe59c

SHA512
5df0133e807c034c6e15141f38cb71b476066f01af934a8acf9f732bdd8d253014975b4206b6a9077c907dd999fe872e3d937286967aaf69be19c9d0c6f17b6b

Download Submit
memory/1500-56-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download