3dfae92d309854993b81b3189b9d626018866e27f6d524c3e0585fa9a224dddf

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

441f575a34b0155b0d0094505425b2a7.exe
Size

48KB
MD5

441f575a34b0155b0d0094505425b2a7
SHA1

a1b36b5a3d9ef1cfb3a40eb687350e5d532b63eb
SHA256

3dfae92d309854993b81b3189b9d626018866e27f6d524c3e0585fa9a224dddf
SHA512

93af676cc6314c739dcb175b4243c89ed9839b4a0f071cae08465131c97e84bd9a06fefd5a07a78ae2f2f0d664d0c9b72ad23a11d5d2f7e711a4e98891e0d644
SSDEEP

768:pgNEhmOgZ/9v+6wH9H7MfygXaDMFQXD7e:pgamP/Z6NNDsQXD7

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qlviis.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	qlviis.exe

Loads dropped DLL 2 IoCs

pid	Process
2312	441f575a34b0155b0d0094505425b2a7.exe
2312	441f575a34b0155b0d0094505425b2a7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\qlviis = "C:\\Users\\Admin\\qlviis.exe"	qlviis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe
2780	qlviis.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	441f575a34b0155b0d0094505425b2a7.exe
2780	qlviis.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2780	2312	441f575a34b0155b0d0094505425b2a7.exe	28
PID 2312 wrote to memory of 2780	2312	441f575a34b0155b0d0094505425b2a7.exe	28
PID 2312 wrote to memory of 2780	2312	441f575a34b0155b0d0094505425b2a7.exe	28
PID 2312 wrote to memory of 2780	2312	441f575a34b0155b0d0094505425b2a7.exe	28
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27
PID 2780 wrote to memory of 2312	2780	qlviis.exe	27

C:\Users\Admin\AppData\Local\Temp\441f575a34b0155b0d0094505425b2a7.exe
"C:\Users\Admin\AppData\Local\Temp\441f575a34b0155b0d0094505425b2a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\qlviis.exe
  "C:\Users\Admin\qlviis.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\qlviis.exe

Filesize
48KB

MD5
1b87bfdd0fc9c5abd9c4b56c01513874

SHA1
e4a1ed111ac6b39b31bf0ab3059853f1ba4e76f7

SHA256
b45707ac0ded8bccf517ae4b12e77d080a07e5db043440a428ade24d194782c5

SHA512
073918e029f4a1c753c053f03bba446b99431e29f451908e1a2124ca922aac0caf1958f4d1b034a7046e0d8bb6c774ce5b7d441fe2670f68108d02b43ae1a259

Download Submit