7c530b0b55443db7e966b7420b27fb6ed79f8e70fc349fb00087f6d1e4b7cc25

General

Target

16d11d38d21891939f768acbdb6bf9326ed69100.exe
Size

354KB
MD5

06bcb9616a54e2762e3ff8ffb3ac7c83
SHA1

16d11d38d21891939f768acbdb6bf9326ed69100
SHA256

7c530b0b55443db7e966b7420b27fb6ed79f8e70fc349fb00087f6d1e4b7cc25
SHA512

b4f9b869e420ba6ae7e54462556a2da4379d9b5d8b0fe8beb4e22668abb35e4070be22bc0d272a287153bc0328c18962e750037d8f086284c438021cfcd21825
SSDEEP

6144:kYa6TmPuL+3v6pfqe10A0MJHCwOTiRAf1yWwBYUig51cF96EQ1:kYBR+3MCeu0dy4Af1yWeYUigDcF96EQ1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1764	qdoktiy.exe
1812	qdoktiy.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	qdoktiy.exe

Loads dropped DLL 3 IoCs

pid	Process
1252	16d11d38d21891939f768acbdb6bf9326ed69100.exe
1764	qdoktiy.exe
1148	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1812	1764	qdoktiy.exe	28
PID 1812 set thread context of 1204	1812	qdoktiy.exe	12
PID 1148 set thread context of 1204	1148	chkdsk.exe	12

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1812	qdoktiy.exe
1812	qdoktiy.exe
1812	qdoktiy.exe
1812	qdoktiy.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1764	qdoktiy.exe
1812	qdoktiy.exe
1812	qdoktiy.exe
1812	qdoktiy.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe
1148	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	qdoktiy.exe
Token: SeDebugPrivilege	1148	chkdsk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1204	Explorer.EXE
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1764	1252	16d11d38d21891939f768acbdb6bf9326ed69100.exe	27
PID 1252 wrote to memory of 1764	1252	16d11d38d21891939f768acbdb6bf9326ed69100.exe	27
PID 1252 wrote to memory of 1764	1252	16d11d38d21891939f768acbdb6bf9326ed69100.exe	27
PID 1252 wrote to memory of 1764	1252	16d11d38d21891939f768acbdb6bf9326ed69100.exe	27
PID 1764 wrote to memory of 1812	1764	qdoktiy.exe	28
PID 1764 wrote to memory of 1812	1764	qdoktiy.exe	28
PID 1764 wrote to memory of 1812	1764	qdoktiy.exe	28
PID 1764 wrote to memory of 1812	1764	qdoktiy.exe	28
PID 1764 wrote to memory of 1812	1764	qdoktiy.exe	28
PID 1204 wrote to memory of 1148	1204	Explorer.EXE	29
PID 1204 wrote to memory of 1148	1204	Explorer.EXE	29
PID 1204 wrote to memory of 1148	1204	Explorer.EXE	29
PID 1204 wrote to memory of 1148	1204	Explorer.EXE	29
PID 1148 wrote to memory of 1600	1148	chkdsk.exe	32
PID 1148 wrote to memory of 1600	1148	chkdsk.exe	32
PID 1148 wrote to memory of 1600	1148	chkdsk.exe	32
PID 1148 wrote to memory of 1600	1148	chkdsk.exe	32
PID 1148 wrote to memory of 1600	1148	chkdsk.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\16d11d38d21891939f768acbdb6bf9326ed69100.exe
  "C:\Users\Admin\AppData\Local\Temp\16d11d38d21891939f768acbdb6bf9326ed69100.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe
    "C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe" C:\Users\Admin\AppData\Local\Temp\kudajbqj.g
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe
      "C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\kudajbqj.g

Filesize
5KB

MD5
aeb6a2dc2a4a22cf5de4f56661f20e16

SHA1
0fa071ff4fd4bf35d96f8fb4f7b45ab0b8521515

SHA256
168ffda172997e02f01e7c8c4cd2b30ffc4b7366f1acfbe029353d13c99990a1

SHA512
b88afc2d2515b4ae106f63af889f94d09d85bb35bc9ec6e915c3e60c06b1ac7df925348a0b0806f126906280907117b6db9bd4f42eadbccaaf1aed29d8dda6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nynof.ibc

Filesize
206KB

MD5
d5ca5091a7377bc2fd2fbb271dcd8338

SHA1
f2629ea5132238f563f4ab615b05c2dce8fcf796

SHA256
5e6f7370f76d2986adafb7c2aebda820bf28d334c61b553eb15dddbd58078814

SHA512
3096e32fa82b7c67cc869c49f2b11353cb06ab9a6316f96c158f1b41963778f04f2b65e0b1424d858aa83f90d8c3dcc7ad1eb18c779625e2f49ad36d64fef9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe

Filesize
52KB

MD5
3bc5576964618b8c5f6241c4247ca04b

SHA1
0876a0b44bfccdfdccf609898b803bdf6845ec5d

SHA256
0a82b92f315096ef1ca9518947a34b751ed49b366d1a2196fbcde1b517e4a998

SHA512
1aecaae7a5c6dcc7cf43f8e913ce5059e85d9ee5580e01779b27040fb7661e0e95f559d19afbafba62b21ff03d9689ae739552a9c63e57923a20d08e0c440454

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe

Filesize
52KB

MD5
3bc5576964618b8c5f6241c4247ca04b

SHA1
0876a0b44bfccdfdccf609898b803bdf6845ec5d

SHA256
0a82b92f315096ef1ca9518947a34b751ed49b366d1a2196fbcde1b517e4a998

SHA512
1aecaae7a5c6dcc7cf43f8e913ce5059e85d9ee5580e01779b27040fb7661e0e95f559d19afbafba62b21ff03d9689ae739552a9c63e57923a20d08e0c440454

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdoktiy.exe

Filesize
52KB

MD5
3bc5576964618b8c5f6241c4247ca04b

SHA1
0876a0b44bfccdfdccf609898b803bdf6845ec5d

SHA256
0a82b92f315096ef1ca9518947a34b751ed49b366d1a2196fbcde1b517e4a998

SHA512
1aecaae7a5c6dcc7cf43f8e913ce5059e85d9ee5580e01779b27040fb7661e0e95f559d19afbafba62b21ff03d9689ae739552a9c63e57923a20d08e0c440454

Download Submit
\Users\Admin\AppData\Local\Temp\qdoktiy.exe

Filesize
52KB

MD5
3bc5576964618b8c5f6241c4247ca04b

SHA1
0876a0b44bfccdfdccf609898b803bdf6845ec5d

SHA256
0a82b92f315096ef1ca9518947a34b751ed49b366d1a2196fbcde1b517e4a998

SHA512
1aecaae7a5c6dcc7cf43f8e913ce5059e85d9ee5580e01779b27040fb7661e0e95f559d19afbafba62b21ff03d9689ae739552a9c63e57923a20d08e0c440454

Download Submit
\Users\Admin\AppData\Local\Temp\qdoktiy.exe

Filesize
52KB

MD5
3bc5576964618b8c5f6241c4247ca04b

SHA1
0876a0b44bfccdfdccf609898b803bdf6845ec5d

SHA256
0a82b92f315096ef1ca9518947a34b751ed49b366d1a2196fbcde1b517e4a998

SHA512
1aecaae7a5c6dcc7cf43f8e913ce5059e85d9ee5580e01779b27040fb7661e0e95f559d19afbafba62b21ff03d9689ae739552a9c63e57923a20d08e0c440454

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
832KB

MD5
07fb6d31f37fb1b4164bef301306c288

SHA1
4cb41af6d63a07324ef6b18b1a1f43ce94e25626

SHA256
06ddf0a370af00d994824605a8e1307ba138f89b2d864539f0d19e8804edac02

SHA512
cab4a7c5805b80851aba5f2c9b001fabc1416f6648d891f49eacc81fe79287c5baa01306a42298da722750b812a4ea85388ffae9200dcf656dd1d5b5b9323353

Download Submit
memory/1148-70-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1148-71-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1148-75-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1148-72-0x0000000001D90000-0x0000000001E1F000-memory.dmp

Filesize
572KB

Download
memory/1148-69-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/1204-76-0x0000000004F00000-0x0000000004FF5000-memory.dmp

Filesize
980KB

Download
memory/1204-73-0x0000000004F00000-0x0000000004FF5000-memory.dmp

Filesize
980KB

Download
memory/1204-67-0x0000000004CC0000-0x0000000004D94000-memory.dmp

Filesize
848KB

Download
memory/1252-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1812-66-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1812-65-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1812-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads