c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b

Analysis

max time kernel
151s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
Size

228KB
MD5

85f92d12a7c38438e96d577fc5e1ec15
SHA1

3b3a596e90449e332495d831f9339f5de572f5df
SHA256

c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b
SHA512

016c502fd3b88b04371ffd6fb84bf0d7bc0596e732a2d817d8a2297643b8a9499679f4524e3336107bd3c8c77bac5ba0429b60621aebdd902ce3eb4854660090
SSDEEP

6144:0kKqhXbU7akpWm0/mnn7ruTbio1We0xOodpBN1:m+LQpWm0/mnn7ruTbio1We0xOodpP1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qlsad.exe

Executes dropped EXE 1 IoCs

pid	Process
1944	qlsad.exe

Loads dropped DLL 2 IoCs

pid	Process
1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /M"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /Q"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /A"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /O"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /G"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /o"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /k"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /R"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /Y"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /h"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /t"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /C"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /d"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /a"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /P"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /W"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /l"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /T"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /Z"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /X"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /v"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /m"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /N"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /q"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /e"	qlsad.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /B"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /r"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /z"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /S"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /V"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /u"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /j"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /w"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /p"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /f"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /U"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /F"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /H"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /I"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /y"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /b"	qlsad.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /E"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /s"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /D"	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /J"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /n"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /K"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /c"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /D"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /L"	qlsad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlsad = "C:\\Users\\Admin\\qlsad.exe /i"	qlsad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe
1944	qlsad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
1944	qlsad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1944	1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe	27
PID 1148 wrote to memory of 1944	1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe	27
PID 1148 wrote to memory of 1944	1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe	27
PID 1148 wrote to memory of 1944	1148	c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe	27

C:\Users\Admin\AppData\Local\Temp\c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe
"C:\Users\Admin\AppData\Local\Temp\c50611155e452b04251d87ff87163176463a74c0eba10b12406abbc4ceb56e8b.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\qlsad.exe
  "C:\Users\Admin\qlsad.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qlsad.exe

Filesize
228KB

MD5
ce0c988d3930dd7260777f4719a371ee

SHA1
30aa7a9e07695663ea058180e5cc519fd9aa9dfc

SHA256
76a05febfe5722c634e47af9cb9c6c524928c6d55298a8742d67a75bad74c720

SHA512
14801872caeb4448feb271fa3a9ec1ab66138289afb1b93b8328f4bafe6edd307049e8bdb9cb492d83c16f30be4f18022e0c3e13ea10d5c88075e966b3c14683

Download Submit
C:\Users\Admin\qlsad.exe

Filesize
228KB

MD5
ce0c988d3930dd7260777f4719a371ee

SHA1
30aa7a9e07695663ea058180e5cc519fd9aa9dfc

SHA256
76a05febfe5722c634e47af9cb9c6c524928c6d55298a8742d67a75bad74c720

SHA512
14801872caeb4448feb271fa3a9ec1ab66138289afb1b93b8328f4bafe6edd307049e8bdb9cb492d83c16f30be4f18022e0c3e13ea10d5c88075e966b3c14683

Download Submit
\Users\Admin\qlsad.exe

Filesize
228KB

MD5
ce0c988d3930dd7260777f4719a371ee

SHA1
30aa7a9e07695663ea058180e5cc519fd9aa9dfc

SHA256
76a05febfe5722c634e47af9cb9c6c524928c6d55298a8742d67a75bad74c720

SHA512
14801872caeb4448feb271fa3a9ec1ab66138289afb1b93b8328f4bafe6edd307049e8bdb9cb492d83c16f30be4f18022e0c3e13ea10d5c88075e966b3c14683

Download Submit
\Users\Admin\qlsad.exe

Filesize
228KB

MD5
ce0c988d3930dd7260777f4719a371ee

SHA1
30aa7a9e07695663ea058180e5cc519fd9aa9dfc

SHA256
76a05febfe5722c634e47af9cb9c6c524928c6d55298a8742d67a75bad74c720

SHA512
14801872caeb4448feb271fa3a9ec1ab66138289afb1b93b8328f4bafe6edd307049e8bdb9cb492d83c16f30be4f18022e0c3e13ea10d5c88075e966b3c14683

Download Submit
memory/1148-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download