38f3bf6bf6dd6791d0598448bca8ecce052c47934b652d59d017a840971e6730

General

Target

263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe
Size

972KB
MD5

c8069511b8c5bbebe2dd922d088d3d0e
SHA1

263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd
SHA256

38f3bf6bf6dd6791d0598448bca8ecce052c47934b652d59d017a840971e6730
SHA512

6d59d3a973bb73552f2e91a8ddfc82cc6c99c9d142a2ea3bb6c9e3c9ba575ef3ddb1b5e4cde6a6cccea076a3d7873ae863202f2bc6fd7886894059300cba9f2d
SSDEEP

24576:vYe5+W6JWE33pOeuBSVJMbCYwPBuKTPt8aQrYlj:QW+W6ZHpOeYSVyGYgBu6o+j

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
992	qtuxai.exe
888	qtuxai.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe
992	qtuxai.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 888	992	qtuxai.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
888	qtuxai.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
992	qtuxai.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	qtuxai.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 992	2024	263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe	27
PID 2024 wrote to memory of 992	2024	263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe	27
PID 2024 wrote to memory of 992	2024	263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe	27
PID 2024 wrote to memory of 992	2024	263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe	27
PID 992 wrote to memory of 888	992	qtuxai.exe	28
PID 992 wrote to memory of 888	992	qtuxai.exe	28
PID 992 wrote to memory of 888	992	qtuxai.exe	28
PID 992 wrote to memory of 888	992	qtuxai.exe	28
PID 992 wrote to memory of 888	992	qtuxai.exe	28

C:\Users\Admin\AppData\Local\Temp\263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe
"C:\Users\Admin\AppData\Local\Temp\263f7593bc33c3d3e4fc669b9fb9f432cb0f81bd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\qtuxai.exe
  "C:\Users\Admin\AppData\Local\Temp\qtuxai.exe" C:\Users\Admin\AppData\Local\Temp\fdrex.tvq
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\qtuxai.exe
    "C:\Users\Admin\AppData\Local\Temp\qtuxai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cyrvkqorf.iwy

Filesize
916KB

MD5
e43ee8c0261b82966f1208d1f40fdfad

SHA1
090926655a4d5f7d85aa5bc55c730140c5f15c40

SHA256
35b8c092d1f2c85928f603c147a15519bd41819c9b2809f563b14f84ae1c8236

SHA512
c200de4e995cb6f6a102276cfe066cdefbc756b3a365894cef24ad2df6224e65b9df1bc0b3e180fc3c24188147dddd5580462cea35a5ade586daf3fff5c5ea72

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdrex.tvq

Filesize
5KB

MD5
ada3e505bba872f2b7101cec6fbf1063

SHA1
1a9ca4bffb9607e18d03a06a2fcb84210f9f679d

SHA256
36e08877c991315b4d3caa52421ebb6aa97702474dffd0bcdea2d769edc9b8ac

SHA512
80d819d75e94549c6f3c71971ccf4a8e5805f01ce8bf6eafceeb039a2f30702d9b573609369db2e774bf8ee5b903a4766c50c77c4474da110d6162d19d36d4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtuxai.exe

Filesize
113KB

MD5
1b2ebc0b30e0226d391e1e2825295a4b

SHA1
390f585f30f3fdd7dab514775f8840fe623dc3b8

SHA256
83f0f2269d43ba07480b6355340b9b7966a1045a9ecf0345ae694c2f5bed5c62

SHA512
5e3d6d41a9ad265fa63241b97779768e6a99aac92da87babb9a657524d2e5038a75d6ee084d7bcd5d8b06c517fd4e72fbfd0e712a9c5ad3b29c51864c80b1043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtuxai.exe

Filesize
113KB

MD5
1b2ebc0b30e0226d391e1e2825295a4b

SHA1
390f585f30f3fdd7dab514775f8840fe623dc3b8

SHA256
83f0f2269d43ba07480b6355340b9b7966a1045a9ecf0345ae694c2f5bed5c62

SHA512
5e3d6d41a9ad265fa63241b97779768e6a99aac92da87babb9a657524d2e5038a75d6ee084d7bcd5d8b06c517fd4e72fbfd0e712a9c5ad3b29c51864c80b1043

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtuxai.exe

Filesize
113KB

MD5
1b2ebc0b30e0226d391e1e2825295a4b

SHA1
390f585f30f3fdd7dab514775f8840fe623dc3b8

SHA256
83f0f2269d43ba07480b6355340b9b7966a1045a9ecf0345ae694c2f5bed5c62

SHA512
5e3d6d41a9ad265fa63241b97779768e6a99aac92da87babb9a657524d2e5038a75d6ee084d7bcd5d8b06c517fd4e72fbfd0e712a9c5ad3b29c51864c80b1043

Download Submit
\Users\Admin\AppData\Local\Temp\qtuxai.exe

Filesize
113KB

MD5
1b2ebc0b30e0226d391e1e2825295a4b

SHA1
390f585f30f3fdd7dab514775f8840fe623dc3b8

SHA256
83f0f2269d43ba07480b6355340b9b7966a1045a9ecf0345ae694c2f5bed5c62

SHA512
5e3d6d41a9ad265fa63241b97779768e6a99aac92da87babb9a657524d2e5038a75d6ee084d7bcd5d8b06c517fd4e72fbfd0e712a9c5ad3b29c51864c80b1043

Download Submit
\Users\Admin\AppData\Local\Temp\qtuxai.exe

Filesize
113KB

MD5
1b2ebc0b30e0226d391e1e2825295a4b

SHA1
390f585f30f3fdd7dab514775f8840fe623dc3b8

SHA256
83f0f2269d43ba07480b6355340b9b7966a1045a9ecf0345ae694c2f5bed5c62

SHA512
5e3d6d41a9ad265fa63241b97779768e6a99aac92da87babb9a657524d2e5038a75d6ee084d7bcd5d8b06c517fd4e72fbfd0e712a9c5ad3b29c51864c80b1043

Download Submit
memory/888-66-0x0000000004790000-0x0000000004862000-memory.dmp

Filesize
840KB

Download
memory/888-67-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/888-68-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2024-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing