938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558

Analysis

max time kernel
325s
max time network
378s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
Size

144KB
MD5

735628efad4bb1003062f946d41a6e55
SHA1

f4ec261d68f890140469df78f751c75c38a43dad
SHA256

938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558
SHA512

d5ca5e6372bf30161a7a328f657af6d6cde3d23f91b8af28d130ceaa0a6ad5544600d42ac5fc51c3bc5ed5c7545cd2f41b7052c45c7048d7bd8cc240f1ddb8cd
SSDEEP

3072:QHKFlhvhINgVs+Y9YXeKjxF1yO13TWDntp:QqFTq2gYuKjxF15s

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kueqi.exe

Executes dropped EXE 1 IoCs

pid	Process
5044	kueqi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /f"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /Q"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /j"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /I"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /M"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /R"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /D"	kueqi.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /Z"	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /G"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /v"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /O"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /N"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /T"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /c"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /Z"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /t"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /U"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /d"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /p"	kueqi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kueqi = "C:\\Users\\Admin\\kueqi.exe /l"	kueqi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe
5044	kueqi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
5044	kueqi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 5044	1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe	84
PID 1912 wrote to memory of 5044	1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe	84
PID 1912 wrote to memory of 5044	1912	938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe	84

C:\Users\Admin\AppData\Local\Temp\938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe
"C:\Users\Admin\AppData\Local\Temp\938ea2b5ce59f8e29c53e654513551dba5f95db0dd23890913ac2205111dd558.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\kueqi.exe
  "C:\Users\Admin\kueqi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\kueqi.exe

Filesize
144KB

MD5
a3064cd749256bfe2b36753c1bc573ce

SHA1
762f40ffcf177f9ebd73b153d82719608ee10d87

SHA256
13d8af490367f3197576c64997b03b4b29d13164cc4e9a3df2ec746545c6f99a

SHA512
4080625b2c6f1049cf2cc9a421c8597421084167afc003350e7a6ebe3c57d798739b15d2b5745729ec052a90047008d46d3c0ee7b44ac5a60d35ed45816f472a

Download Submit
C:\Users\Admin\kueqi.exe

Filesize
144KB

MD5
a3064cd749256bfe2b36753c1bc573ce

SHA1
762f40ffcf177f9ebd73b153d82719608ee10d87

SHA256
13d8af490367f3197576c64997b03b4b29d13164cc4e9a3df2ec746545c6f99a

SHA512
4080625b2c6f1049cf2cc9a421c8597421084167afc003350e7a6ebe3c57d798739b15d2b5745729ec052a90047008d46d3c0ee7b44ac5a60d35ed45816f472a

Download Submit