Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 18:55
Static task
static1
Behavioral task
behavioral1
Sample
3acb995c9f962f1004397bcbd3fa55dc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3acb995c9f962f1004397bcbd3fa55dc.exe
Resource
win10v2004-20231215-en
General
-
Target
3acb995c9f962f1004397bcbd3fa55dc.exe
-
Size
260KB
-
MD5
3acb995c9f962f1004397bcbd3fa55dc
-
SHA1
8239187c47d046fbd4b76896e78b304624cf2b0c
-
SHA256
30d5e95f20ff0a384bcbe980cff2cac965301555c50bffb18e37f770957f950c
-
SHA512
cb32938148716617e8c2b658200799434766d42c68b3aaa35e209f6a47e67bff8fd96661488091b56bdf281e8439fa79e591176dbecb0e0617e5fc4b8c394b2d
-
SSDEEP
3072:JgfAlNgvh25n/kZoSUjMqXnpWAkpAmTSrMaIOYt/jo7LAtPhjjtZnfHFEoWBfGVK:JdFgTSrMaIl/jcLijfHFEHWzXvjT85R
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qagul.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 3acb995c9f962f1004397bcbd3fa55dc.exe -
Executes dropped EXE 1 IoCs
pid Process 4664 qagul.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /I" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /y" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /R" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /b" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /o" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /J" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /t" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /F" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /G" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /v" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /w" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /a" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /n" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /W" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /H" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /Q" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /V" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /g" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /E" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /C" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /f" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /X" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /z" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /Y" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /K" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /O" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /T" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /d" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /D" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /k" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /p" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /x" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /S" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /q" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /e" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /j" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /Z" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /h" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /A" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /s" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /c" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /P" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /r" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /L" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /M" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /U" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /u" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /i" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /l" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /B" qagul.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qagul = "C:\\Users\\Admin\\qagul.exe /N" qagul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe 4664 qagul.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4128 3acb995c9f962f1004397bcbd3fa55dc.exe 4664 qagul.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4128 wrote to memory of 4664 4128 3acb995c9f962f1004397bcbd3fa55dc.exe 94 PID 4128 wrote to memory of 4664 4128 3acb995c9f962f1004397bcbd3fa55dc.exe 94 PID 4128 wrote to memory of 4664 4128 3acb995c9f962f1004397bcbd3fa55dc.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\3acb995c9f962f1004397bcbd3fa55dc.exe"C:\Users\Admin\AppData\Local\Temp\3acb995c9f962f1004397bcbd3fa55dc.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\qagul.exe"C:\Users\Admin\qagul.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260KB
MD53f6a057d3231d1918b0319546ffed3ac
SHA161f0905501c3f555878ef69ea4cb711b37d530a1
SHA256c4014f2319636d1706563c9960b7e5c91908e93b179630d60d0d22526e92b2e0
SHA512ac3c3bc61c43d6ec5c83a20db4ff38974c26d564a1d5bf177c3766f3f073403e775ae2446ad4e90ca03f60653017a335a708784683332fd938925a505e500694