Overview

overview

10

Static

static

73e1ee879e...3c.exe

windows7-x64

10

73e1ee879e...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    190s
  • max time network
    231s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73e1ee879e5839f509e34531ca5972744bad5f24e7738f4bd15bdb6c02ccb93c.exe

  • Size

    252KB

  • MD5

    b2229032d7b335533a9dd254c9d29c6f

  • SHA1

    1b71ab8a14291e67e1a424c633d2957a524bf8a4

  • SHA256

    73e1ee879e5839f509e34531ca5972744bad5f24e7738f4bd15bdb6c02ccb93c

  • SHA512

    51cb72b36e16b89de42cbfa6bc8ef666036dbd49a7bffa8837ba0b4aae63e9915b6a0f6c187c53e09c716f94795588255cef7d922a557f001793e319ac775b9c

  • SSDEEP

    6144:0d0EJxRpLPGO/7YBNPVlVRgoEA9Qx2fKHEZXrUEQOy7:cFVjwPVlVRgoEA9Qx2fKHEZXrbG7

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 51 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73e1ee879e5839f509e34531ca5972744bad5f24e7738f4bd15bdb6c02ccb93c.exe
    "C:\Users\Admin\AppData\Local\Temp\73e1ee879e5839f509e34531ca5972744bad5f24e7738f4bd15bdb6c02ccb93c.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\qiimu.exe
      "C:\Users\Admin\qiimu.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\qiimu.exe
    Filesize

    252KB

    MD5

    bc0c941e77caca9754bd5b3985b95d91

    SHA1

    c133e51c4c97cc4468a718dd3c6bfd3657090a10

    SHA256

    341f800593337acabd95147cd5cb2c199a6652bfa465d86e300506cc9aa907d8

    SHA512

    09a2695797941927d6efb42f07d418e27230c6d6a73f9c5eaf25c01b7fb57e1f5339ed0fa845f933e23fc5ac8d61b045ab4e7c9e34052aa655190606af6be9a5

    Download Submit

  • C:\Users\Admin\qiimu.exe
    Filesize

    252KB

    MD5

    bc0c941e77caca9754bd5b3985b95d91

    SHA1

    c133e51c4c97cc4468a718dd3c6bfd3657090a10

    SHA256

    341f800593337acabd95147cd5cb2c199a6652bfa465d86e300506cc9aa907d8

    SHA512

    09a2695797941927d6efb42f07d418e27230c6d6a73f9c5eaf25c01b7fb57e1f5339ed0fa845f933e23fc5ac8d61b045ab4e7c9e34052aa655190606af6be9a5

    Download Submit

  • memory/4436-134-0x0000000000000000-mapping.dmp

    Download