c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

General

Target

c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe
Size

322KB
MD5

ec9c131b92b4c37bae39adb79b167e0e
SHA1

066430a555f2afe51ee39db3b7e2e03791105e40
SHA256

c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab
SHA512

920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7
SSDEEP

6144:217/qs70CkEE/xzP6m/HDnP3Bw3gSfYlYaaRIDylnxtIYmDh7HgARCGuD:C7/qs7LUOmbPxww1vu1mrgdG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

qyeobbula.exe

pid process

840 qyeobbula.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1712 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeqyeobbula.exe

pid process

1712 cmd.exe
1712 cmd.exe
840 qyeobbula.exe

pid	process
840	qyeobbula.exe

pid	process
1712	cmd.exe

pid	process
1712	cmd.exe
1712	cmd.exe
840	qyeobbula.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

320 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1824 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 320 taskkill.exe

pid	process
320	taskkill.exe

pid	process
1824	PING.EXE

description	pid	process
Token: SeDebugPrivilege	320	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1712	1948	c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe	cmd.exe
PID 1948 wrote to memory of 1712	1948	c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe	cmd.exe
PID 1948 wrote to memory of 1712	1948	c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe	cmd.exe
PID 1948 wrote to memory of 1712	1948	c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe	cmd.exe
PID 1712 wrote to memory of 320	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 320	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 320	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 320	1712	cmd.exe	taskkill.exe
PID 1712 wrote to memory of 1824	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 1824	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 1824	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 1824	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 840	1712	cmd.exe	qyeobbula.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	qyeobbula.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	qyeobbula.exe
PID 1712 wrote to memory of 840	1712	cmd.exe	qyeobbula.exe

C:\Users\Admin\AppData\Local\Temp\c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe
"C:\Users\Admin\AppData\Local\Temp\c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1948 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab.exe" & start C:\Users\Admin\AppData\Local\QYEOBB~1.EXE -f
2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1948
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.1
3⤵
- Runs ping.exe
PID:1824

C:\Users\Admin\AppData\Local\qyeobbula.exe
C:\Users\Admin\AppData\Local\QYEOBB~1.EXE -f
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\qyeobbula.exe
Filesize
322KB

MD5
ec9c131b92b4c37bae39adb79b167e0e

SHA1
066430a555f2afe51ee39db3b7e2e03791105e40

SHA256
c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

SHA512
920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7

Download Submit
C:\Users\Admin\AppData\Local\qyeobbula.exe
Filesize
322KB

MD5
ec9c131b92b4c37bae39adb79b167e0e

SHA1
066430a555f2afe51ee39db3b7e2e03791105e40

SHA256
c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

SHA512
920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7

Download Submit
\Users\Admin\AppData\Local\qyeobbula.exe
Filesize
322KB

MD5
ec9c131b92b4c37bae39adb79b167e0e

SHA1
066430a555f2afe51ee39db3b7e2e03791105e40

SHA256
c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

SHA512
920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7

Download Submit
\Users\Admin\AppData\Local\qyeobbula.exe
Filesize
322KB

MD5
ec9c131b92b4c37bae39adb79b167e0e

SHA1
066430a555f2afe51ee39db3b7e2e03791105e40

SHA256
c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

SHA512
920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7

Download Submit
\Users\Admin\AppData\Local\qyeobbula.exe
Filesize
322KB

MD5
ec9c131b92b4c37bae39adb79b167e0e

SHA1
066430a555f2afe51ee39db3b7e2e03791105e40

SHA256
c5639ff410da6b9713d95f5bed56e763f3e5c07c06aa0e663d1336c13a18bcab

SHA512
920b6e44ac032c13e2bfd861440c93e04c6c67960191d89e385d6c596c916e148f0555422aeb49c3aa6b309f5191c8d2cfd792c3d50a0e01b5cc5a84257cc5a7

Download Submit
memory/320-57-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/840-66-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/840-67-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1712-55-0x0000000000000000-mapping.dmp

Download
memory/1824-58-0x0000000000000000-mapping.dmp

Download
memory/1948-56-0x0000000001000000-0x00000000010A5000-memory.dmp

Filesize
660KB

Download
memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing