Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
08/08/2023, 07:01
Static task
static1
Behavioral task
behavioral1
Sample
Femetageshuse.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Femetageshuse.exe
Resource
win10v2004-20230703-en
General
-
Target
Femetageshuse.exe
-
Size
556KB
-
MD5
78a9fbf0b6e82c535aef4c848406d77d
-
SHA1
b8a419f43674bcfcee6ed5d680ccc02fe1dc6f54
-
SHA256
24f8a7c390962f0a9094dba45d9000ec7024e87adc7992740311775fcf0bd51d
-
SHA512
1ab8c6d1199fd9eed809cbc044fe3a5b4c782717dd23a60ea2a0241543b9331922aa7fc593c4214b1610c0105c2681fa6b039be34c7abf71e00df2940e809347
-
SSDEEP
12288:e81oDihelogYzTEg7eTtAjzDcut04Ma8bJhy8v2N:NaHMzDjzDcutpMaI2N
Malware Config
Signatures
-
Checks QEMU agent file 2 TTPs 1 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Femetageshuse.exe -
Loads dropped DLL 1 IoCs
pid Process 2528 Femetageshuse.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2884 2528 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2884 2528 Femetageshuse.exe 30 PID 2528 wrote to memory of 2884 2528 Femetageshuse.exe 30 PID 2528 wrote to memory of 2884 2528 Femetageshuse.exe 30 PID 2528 wrote to memory of 2884 2528 Femetageshuse.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Femetageshuse.exe"C:\Users\Admin\AppData\Local\Temp\Femetageshuse.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 18322⤵
- Program crash
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622