a197a6c39114ec527ec98ad1496bf330384585138c7475a51845cc5d2d906dd9

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1605174d27c500f2af02c175474df7dc.exe
Size

3.8MB
MD5

1605174d27c500f2af02c175474df7dc
SHA1

0530fe4749bdfdb98319577ce97c38020ddfd7ed
SHA256

a197a6c39114ec527ec98ad1496bf330384585138c7475a51845cc5d2d906dd9
SHA512

2f47f43341cfc7219bc0bfecd8667c6c8630d0fbf69c85e8b0785a850b7a48e0966ef33abbe71c095098b8fa5d62fe647841fe9c76aba18fac519849547fdcdd
SSDEEP

98304:8X4vK2A70nHuV5a7/pVssFgAEArIorCyazx1g:6cK2+2MazfsKpfcouyac

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1068	1605174d27c500f2af02c175474df7dc.tmp
932	Quae.exe

Loads dropped DLL 3 IoCs

pid	Process
2356	1605174d27c500f2af02c175474df7dc.exe
1068	1605174d27c500f2af02c175474df7dc.tmp
932	Quae.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
932	Quae.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 2356 wrote to memory of 1068	2356	1605174d27c500f2af02c175474df7dc.exe	2
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1
PID 1068 wrote to memory of 932	1068	1605174d27c500f2af02c175474df7dc.tmp	1

C:\Users\Admin\AppData\Local\Temp\is-QEFDI.tmp\Quae.exe
"C:\Users\Admin\AppData\Local\Temp\is-QEFDI.tmp\Quae.exe" 6f19a9f61f08fd68496b26c51c68c12a
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Users\Admin\AppData\Local\Temp\is-MITN2.tmp\1605174d27c500f2af02c175474df7dc.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MITN2.tmp\1605174d27c500f2af02c175474df7dc.tmp" /SL5="$70124,3277854,721408,C:\Users\Admin\AppData\Local\Temp\1605174d27c500f2af02c175474df7dc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\1605174d27c500f2af02c175474df7dc.exe
"C:\Users\Admin\AppData\Local\Temp\1605174d27c500f2af02c175474df7dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-MITN2.tmp\1605174d27c500f2af02c175474df7dc.tmp

Filesize
2.4MB

MD5
8e2d270339dcd0a68fbb2f02a65d45dd

SHA1
bfcdb1f71692020858f96960e432e94a4e70c4a4

SHA256
506176b3245de84bb0b7a4da4b8068b9dd289eb9a3a1757d4183c7c3f168c811

SHA512
31eac8aabe8ac83f24d4eba21bc3a52b56105f52402aeb00e505a6be3208cf92cc57529b26f1b29605f554dccdff51e9f28f584268bfda689f53be624f3fd647

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QEFDI.tmp\Quae.exe

Filesize
2.7MB

MD5
422dc5aea830440f0906f95a58663ff3

SHA1
5fa6a44872a90dbf55489db77ba08bebc7da8160

SHA256
619cc386aba4e2230c60e2901adf0afa31a7596103dfb085030c268d5b7e23af

SHA512
d97341715685d59d59d71ba8f76d2c6728f05dcc9a5743797899a5e13ad9751e2bebad583e0377baa9348b81c08aec7ef07e94ef8bab4519abd1c953f5fdd729

Download Submit
\Users\Admin\AppData\Local\Temp\is-QEFDI.tmp\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/932-20-0x0000000000400000-0x00000000014CC000-memory.dmp

Filesize
16.8MB

Download
memory/932-19-0x0000000000400000-0x00000000014CC000-memory.dmp

Filesize
16.8MB

Download
memory/932-21-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/932-24-0x0000000000400000-0x00000000014CC000-memory.dmp

Filesize
16.8MB

Download
memory/932-25-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/932-31-0x0000000000400000-0x00000000014CC000-memory.dmp

Filesize
16.8MB

Download
memory/1068-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1068-23-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/1068-30-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2356-22-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download