781d7449f72545fbcf74b6dd95f682a655621432aab9beba7648c9b9d0a59b86

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fd5b9b452678ae6eae726cce2a1f991.exe
Size

55KB
MD5

0fd5b9b452678ae6eae726cce2a1f991
SHA1

a78ac2ecce8a00e853422277f78ebd89854be5e4
SHA256

781d7449f72545fbcf74b6dd95f682a655621432aab9beba7648c9b9d0a59b86
SHA512

aa76020a53adb3337cc4d1e4bea8551a8812fdf327115e86d8f0a67d439dcd31e1db7d62c0d2e1eeeaa095b75755ff05e81860f0c285d4f952f3b7aa18199bc0
SSDEEP

1536:zzFnuM5luIUYTEE7punsUeS6m/r/8Z3Leq4SoyISbN:VfPUSOZ6QrcLL1oyISB

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\QuickTime Task = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0fd5b9b452678ae6eae726cce2a1f991.exe"	0fd5b9b452678ae6eae726cce2a1f991.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	0fd5b9b452678ae6eae726cce2a1f991.exe

Executes dropped EXE 1 IoCs

pid	Process
2844	qttaskm.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe
2844	qttaskm.exe
2968	0fd5b9b452678ae6eae726cce2a1f991.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2844	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	25
PID 2968 wrote to memory of 2844	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	25
PID 2968 wrote to memory of 2844	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	25
PID 2968 wrote to memory of 2844	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	25
PID 2968 wrote to memory of 2840	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	26
PID 2968 wrote to memory of 2840	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	26
PID 2968 wrote to memory of 2840	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	26
PID 2968 wrote to memory of 2840	2968	0fd5b9b452678ae6eae726cce2a1f991.exe	26

C:\Users\Admin\AppData\Local\Temp\0fd5b9b452678ae6eae726cce2a1f991.exe
"C:\Users\Admin\AppData\Local\Temp\0fd5b9b452678ae6eae726cce2a1f991.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\qttaskm.exe
  C:\Users\Admin\AppData\Local\Temp\qttaskm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Windows\SysWOW64\ctfmon.exe
  ctfmon.exe
  2⤵
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\qttaskm.exe

Filesize
28KB

MD5
d10fcca24c54aa84e4e5c9847c24336d

SHA1
000f2c786469b85eb0a90617f81442986b09cf09

SHA256
d51cf5a38adcd6e323dd09700a97cdeb2c1232265589883e7cf900e8e338c1af

SHA512
65463aa0525eaefb19843acb884524b130f98dc3c441a408c0ab9c1fef425efec0040040a56d3a1f347c76ecd46ad909f721599e8697540ba67c057061d4feb5

Download Submit
memory/2844-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-37-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-11-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-35-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-33-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-31-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-29-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-27-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-19-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-25-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2844-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2968-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-32-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-20-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-10-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2968-30-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-24-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-12-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-34-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-9-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2968-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2968-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download