Malware Analysis Report

2025-08-10 22:58

Sample ID 230328-ar54aahh4x
Target q.ex
SHA256 f6a4b33ecf988c80b0c5aa280a5a3850f44bb3931ae0d845df7c064803c5f7c7
Tags
ransomware spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f6a4b33ecf988c80b0c5aa280a5a3850f44bb3931ae0d845df7c064803c5f7c7

Threat Level: Likely malicious

The file q.ex was found to be: Likely malicious.

Malicious Activity Summary

ransomware spyware stealer

Modifies extensions of user files

Reads user/profile data of web browsers

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-28 00:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-28 00:27

Reported

2023-03-28 00:28

Platform

win7-20230220-en

Max time kernel

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\q.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConvertToSet.raw => \??\c:\users\admin\pictures\ConvertToSet.raw.encrypted C:\Users\Admin\AppData\Local\Temp\q.exe N/A
File renamed C:\Users\Admin\Pictures\GrantWait.png => \??\c:\users\admin\pictures\GrantWait.png.encrypted C:\Users\Admin\AppData\Local\Temp\q.exe N/A
File renamed C:\Users\Admin\Pictures\ImportComplete.raw => \??\c:\users\admin\pictures\ImportComplete.raw.encrypted C:\Users\Admin\AppData\Local\Temp\q.exe N/A
File renamed C:\Users\Admin\Pictures\UnregisterGrant.raw => \??\c:\users\admin\pictures\UnregisterGrant.raw.encrypted C:\Users\Admin\AppData\Local\Temp\q.exe N/A

Reads user/profile data of web browsers

spyware stealer

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\q.exe

"C:\Users\Admin\AppData\Local\Temp\q.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT.TXT

Network

N/A

Files

memory/1940-54-0x0000000001360000-0x000000000136C000-memory.dmp

memory/1940-55-0x000000001B110000-0x000000001B190000-memory.dmp

memory/1940-84-0x000000001B110000-0x000000001B190000-memory.dmp

C:\Users\Admin\Desktop\DECRYPT_ReadMe1.TXT.ReadMe

MD5 0e7f3fcea239c2d0c77f1e6bb486846e
SHA1 ac08c9f4ddd880cc50ee822efeea255cbf9e4bf0
SHA256 7080c28f01d0faadd652ad863fc9fdaeda478d18c8ad29754cc54006e5889dd6
SHA512 d3a694689bae1a7e6efb1b5b59be7d6b87819008dda5d8c97fc3df38c09e08266314d3dbbec065a68fe2033084c3c1618cee975f726449e38fe3927b188ac82a

C:\vcredist2010_x86.log.html

MD5 8e429bed7b6b10a2af9971bd25744f35
SHA1 e10658497f31e73e83c5c19e66f2a364154fb380
SHA256 0124bc0dbea6b2faae49f01f35985648f566257e45123bce44b9bca0cd4f3b09
SHA512 d98a320c2ecc96f535e83120ac2abeb4aca6e0792b1e3a34ac6e03d5d93d5163c07382f3f510770b5407a0944e54685e290790d5578b6e9634d7cbac1a29df9c

memory/240-838-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/240-839-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1940-840-0x000000001B110000-0x000000001B190000-memory.dmp

C:\Users\Admin\Desktop\DECRYPT.TXT

MD5 e357eb9271c77460d19016b793125c53
SHA1 d0c6ac79c3b2c8eb911592eb3f84d354cc5bebbb
SHA256 f87cc0f1caded84e06027100472052da0b32ea9bc75f2f87da18e6b28a4f2789
SHA512 6d46988485a4b9204fb87a08db0a7cfc3dfaf5ad661ba5c3b62e9722c72a4b95b1bdc190383220030ba32cef662cbec1ab9f6a9bad2b2da6adf8dc5d3755cef4