f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569

Analysis

max time kernel
43s
max time network
112s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe
Size

172KB
MD5

05ea54c12e9da7db09838a713d4886bd
SHA1

090541b662dde11f73ed8ebf27bbce47ece42086
SHA256

f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569
SHA512

4dbea645978fa1d77c4bb606700efc1031ad4a02cf893911f9b81ce8b0bb9f38158aafdddae03cfec375aa5859dfdc542cf94a2ce577337bf7168bb2bf709ecd
SSDEEP

3072:142Z9jHSuTJET9EWbxPZ5v1KaxGeenTaIrtlIhrYOWeeNbv2eYwTQNjKGkq/YfpT:1427HSCJETH1h5v15xGeeTPEhrYOWee/

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1540	QvodSetupPlus3.exe
1224	PlayerV0D5.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000142c0-59.dat	upx
behavioral1/files/0x00090000000142c0-60.dat	upx
behavioral1/files/0x00090000000142c0-63.dat	upx
behavioral1/memory/1224-68-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1224-71-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe
1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe
1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe
1224	PlayerV0D5.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe
1540	QvodSetupPlus3.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1540	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	27
PID 1708 wrote to memory of 1224	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	28
PID 1708 wrote to memory of 1224	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	28
PID 1708 wrote to memory of 1224	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	28
PID 1708 wrote to memory of 1224	1708	f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe	28

C:\Users\Admin\AppData\Local\Temp\f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe
"C:\Users\Admin\AppData\Local\Temp\f7edbb018dcccdf10ff56b78ffa7ea8cb94baa93c34f63b11d3f4c355263f569.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\PlayerV0D5.exe
  "C:\Users\Admin\AppData\Local\Temp\PlayerV0D5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PlayerV0D5.exe

Filesize
29KB

MD5
b238db7eca9933b8393c93621ae3fc62

SHA1
75bb0d55b86187f2cbff2a60c00170c3f257ae6f

SHA256
f016d4b21209b37067235d02fae429864b0c1b4f21f868b793278e0851313c01

SHA512
005150ebecacede27f759837d816431400cda7d7240f27857fb7257ca329e1d7d96ef41d7288649fa339061741e167c271685286cba3ade9c011e3de13e5135c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
\Users\Admin\AppData\Local\Temp\PlayerV0D5.exe

Filesize
29KB

MD5
b238db7eca9933b8393c93621ae3fc62

SHA1
75bb0d55b86187f2cbff2a60c00170c3f257ae6f

SHA256
f016d4b21209b37067235d02fae429864b0c1b4f21f868b793278e0851313c01

SHA512
005150ebecacede27f759837d816431400cda7d7240f27857fb7257ca329e1d7d96ef41d7288649fa339061741e167c271685286cba3ade9c011e3de13e5135c

Download Submit
\Users\Admin\AppData\Local\Temp\PlayerV0D5.exe

Filesize
29KB

MD5
b238db7eca9933b8393c93621ae3fc62

SHA1
75bb0d55b86187f2cbff2a60c00170c3f257ae6f

SHA256
f016d4b21209b37067235d02fae429864b0c1b4f21f868b793278e0851313c01

SHA512
005150ebecacede27f759837d816431400cda7d7240f27857fb7257ca329e1d7d96ef41d7288649fa339061741e167c271685286cba3ade9c011e3de13e5135c

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.exe

Filesize
297KB

MD5
a07d0a7920e7d6771e17fbd2b3516812

SHA1
f142bdf5ab461b6f5167764b8f73ec0f042b3035

SHA256
83b88fc333a9d9f54f3d62e44e0548c179c8f383e01b5e33da3bcdd9db130397

SHA512
8f5e73e2aa53bbb18f7eec32e7bc17e5b098669d48b0d23567d0fe22139c6c14195d36c319f1b1419b65feb66548eb3deba2e854d05f711331652d8b1d40be6f

Download Submit
memory/1224-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1224-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-69-0x0000000003340000-0x0000000003544000-memory.dmp

Filesize
2.0MB

Download
memory/1540-70-0x0000000003340000-0x0000000003544000-memory.dmp

Filesize
2.0MB

Download
memory/1708-62-0x0000000000400000-0x000000000042CB93-memory.dmp

Filesize
178KB

Download
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download