Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02-11-2023 08:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe
Resource
win7-20231020-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe
Resource
win10v2004-20231020-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe
-
Size
396KB
-
MD5
e279f4db9a67da5a8a8236db2fd54aa0
-
SHA1
4ba2adddadf8534ec714feec6210f0f5449fcba2
-
SHA256
3b591aee9fb7e8e089f69cc8fe198df85e4e544cca580ec1d8850719b4cdff59
-
SHA512
bfc6411fda5f956bf54785ca97bfa98f19a5c7d73fdc08071155bb171478a089e4a79118bdae343305560703dd883039c445b1cc3a5e0b79f63b1d439dc7386b
-
SSDEEP
6144:yXIp3oRtL6q0SNyRSFKYyNU9t0JT8vKArIydVuw3GX1pv7DaPe+1qOWGMcQ1fXRj:y4StL68NWYKYyNUmAv7b4aPb4OWHcQ2
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qlhaj.exe -
Executes dropped EXE 1 IoCs
pid Process 2240 qlhaj.exe -
Loads dropped DLL 2 IoCs
pid Process 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe -
Adds Run key to start application 2 TTPs 50 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /E" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /c" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /g" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /C" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /Q" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /Z" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /d" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /b" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /D" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /y" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /o" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /n" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /z" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /A" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /G" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /Y" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /s" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /w" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /B" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /V" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /L" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /M" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /e" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /i" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /h" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /m" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /P" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /f" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /u" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /v" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /x" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /N" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /S" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /p" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /I" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /O" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /W" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /T" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /K" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /H" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /F" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /X" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /j" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /r" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /a" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /k" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /l" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /R" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /q" qlhaj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlhaj = "C:\\Users\\Admin\\qlhaj.exe /t" qlhaj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe 2240 qlhaj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 2240 qlhaj.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2240 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 28 PID 2644 wrote to memory of 2240 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 28 PID 2644 wrote to memory of 2240 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 28 PID 2644 wrote to memory of 2240 2644 NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e279f4db9a67da5a8a8236db2fd54aa0_JC.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\qlhaj.exe"C:\Users\Admin\qlhaj.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD5fd320c8f59f01bd0301c3852712350b7
SHA1e5f59e3db15742da7dfccb9a5e0e8cd5dfa0b0d8
SHA2565ea50ae21c6bf0cd8ee4ef341e13e46c90635b89fd1a6682e0f0333c3c855e75
SHA512e688f1bfe51edf251f94e111cdcd5d0561f6475b4b6c6120a78555f201328339a65ccf81f7086ac56465dd5823ed782586c9b2d93a75a4ecefe88bcd533f8b91
-
Filesize
396KB
MD5fd320c8f59f01bd0301c3852712350b7
SHA1e5f59e3db15742da7dfccb9a5e0e8cd5dfa0b0d8
SHA2565ea50ae21c6bf0cd8ee4ef341e13e46c90635b89fd1a6682e0f0333c3c855e75
SHA512e688f1bfe51edf251f94e111cdcd5d0561f6475b4b6c6120a78555f201328339a65ccf81f7086ac56465dd5823ed782586c9b2d93a75a4ecefe88bcd533f8b91
-
Filesize
396KB
MD5fd320c8f59f01bd0301c3852712350b7
SHA1e5f59e3db15742da7dfccb9a5e0e8cd5dfa0b0d8
SHA2565ea50ae21c6bf0cd8ee4ef341e13e46c90635b89fd1a6682e0f0333c3c855e75
SHA512e688f1bfe51edf251f94e111cdcd5d0561f6475b4b6c6120a78555f201328339a65ccf81f7086ac56465dd5823ed782586c9b2d93a75a4ecefe88bcd533f8b91
-
Filesize
396KB
MD5fd320c8f59f01bd0301c3852712350b7
SHA1e5f59e3db15742da7dfccb9a5e0e8cd5dfa0b0d8
SHA2565ea50ae21c6bf0cd8ee4ef341e13e46c90635b89fd1a6682e0f0333c3c855e75
SHA512e688f1bfe51edf251f94e111cdcd5d0561f6475b4b6c6120a78555f201328339a65ccf81f7086ac56465dd5823ed782586c9b2d93a75a4ecefe88bcd533f8b91
-
Filesize
396KB
MD5fd320c8f59f01bd0301c3852712350b7
SHA1e5f59e3db15742da7dfccb9a5e0e8cd5dfa0b0d8
SHA2565ea50ae21c6bf0cd8ee4ef341e13e46c90635b89fd1a6682e0f0333c3c855e75
SHA512e688f1bfe51edf251f94e111cdcd5d0561f6475b4b6c6120a78555f201328339a65ccf81f7086ac56465dd5823ed782586c9b2d93a75a4ecefe88bcd533f8b91