70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c25c9877c55e1c43283910d400d91e2c.exe
Size

398KB
MD5

c25c9877c55e1c43283910d400d91e2c
SHA1

e75a014931488473a0f220a81e83742f3afc66b7
SHA256

70f32a20f79a7bff35560af814867b770998faf1be40fd3dc04ddab93c45f6e0
SHA512

77f8ff58fede53e7109796b9bbc200cd78337d6d654b9801e12e1dcf4acf04d8e7127996d1e4d60265334dac348566518cf32a500c57cbe5c5c61ac6f91a1b04
SSDEEP

3072:bEhKzShSycJWiUTh0Mu3F1dMppyaoJWUytFznR/OlAuxY7PWWYa/K4bKKUDFtv09:bBnyFu10YWbFznRWGDFKnKUDFtv0koH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

qaiuyqqkou.exeqaiuyqqkou.exe

pid process

2012 qaiuyqqkou.exe
1720 qaiuyqqkou.exe
Loads dropped DLL 5 IoCs

Processes:

c25c9877c55e1c43283910d400d91e2c.exeqaiuyqqkou.exeWerFault.exe

pid process

2028 c25c9877c55e1c43283910d400d91e2c.exe
2012 qaiuyqqkou.exe
580 WerFault.exe
580 WerFault.exe
580 WerFault.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

qaiuyqqkou.exe

description pid process target process

PID 2012 set thread context of 1720 2012 qaiuyqqkou.exe qaiuyqqkou.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

580 1720 WerFault.exe qaiuyqqkou.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

qaiuyqqkou.exe

pid process

2012 qaiuyqqkou.exe
2012 qaiuyqqkou.exe

pid	process
2012	qaiuyqqkou.exe
1720	qaiuyqqkou.exe

pid	process
2028	c25c9877c55e1c43283910d400d91e2c.exe
2012	qaiuyqqkou.exe
580	WerFault.exe
580	WerFault.exe
580	WerFault.exe

description	pid	process	target process
PID 2012 set thread context of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe

pid	pid_target	process	target process
580	1720	WerFault.exe	qaiuyqqkou.exe

pid	process
2012	qaiuyqqkou.exe
2012	qaiuyqqkou.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

c25c9877c55e1c43283910d400d91e2c.exeqaiuyqqkou.exeqaiuyqqkou.exe

description	pid	process	target process
PID 2028 wrote to memory of 2012	2028	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2028 wrote to memory of 2012	2028	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2028 wrote to memory of 2012	2028	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2028 wrote to memory of 2012	2028	c25c9877c55e1c43283910d400d91e2c.exe	qaiuyqqkou.exe
PID 2012 wrote to memory of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2012 wrote to memory of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2012 wrote to memory of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2012 wrote to memory of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 2012 wrote to memory of 1720	2012	qaiuyqqkou.exe	qaiuyqqkou.exe
PID 1720 wrote to memory of 580	1720	qaiuyqqkou.exe	WerFault.exe
PID 1720 wrote to memory of 580	1720	qaiuyqqkou.exe	WerFault.exe
PID 1720 wrote to memory of 580	1720	qaiuyqqkou.exe	WerFault.exe
PID 1720 wrote to memory of 580	1720	qaiuyqqkou.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c25c9877c55e1c43283910d400d91e2c.exe
"C:\Users\Admin\AppData\Local\Temp\c25c9877c55e1c43283910d400d91e2c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe" C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
"C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 36
4⤵
- Loads dropped DLL
- Program crash
PID:580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ijarchpuy.du
Filesize
5KB

MD5
5cd14824d28319bfcac1b2e3cd8b532d

SHA1
49ed57453b9612e0ece3540b9740f613298a8644

SHA256
ae65f540f6bef4b0723294768991c65f88095de096c9f636ba4c2de7f095c7bf

SHA512
84bdd85fe9e34fcde4ab3abd57d670a7cd2694b160686aac8958c0a00aef066dffaeaa778f8c617431c2af5b4678d292f482a5de81ae33cbfbadce1e930f061b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
C:\Users\Admin\AppData\Local\Temp\srumdm.hcb
Filesize
185KB

MD5
e923ffb3d4001485b028c1db73a2ad7d

SHA1
3974f858666c8ca752a93296a299e15e1c8228c8

SHA256
60240106d022b45f07902409a59611dd93c388b982608130194a38d6ee4fcf31

SHA512
0ce9501f722d51471fe648b632f7546770570c919ca314f1253344c83c24365ac39fe9fa93a3fda617725131f3898f7cc0fe5250bcc7e586b7ea6a4f54f96c1f

Download Submit
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
\Users\Admin\AppData\Local\Temp\qaiuyqqkou.exe
Filesize
12KB

MD5
a8c4431de2a0d976a45531402b8bf869

SHA1
21c57e797f9bf60103751b697b5e7323b22bee2d

SHA256
8e66bc3f9bfd964c231514774c1e01e3a05e7506f7d41938f1e49f1780e4c064

SHA512
740a72bb956545da927847a563ddd7cdde39bed50bd678ce2312b2565a9f0eac259c5cb447d860c17bdd7357fcdd8a9634ab68ff07844488b161790004947043

Download Submit
memory/580-64-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x000000000009F110-mapping.dmp

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download