Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 13:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67bfaac6be8e193f4a760fba392ab31b.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
67bfaac6be8e193f4a760fba392ab31b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
67bfaac6be8e193f4a760fba392ab31b.exe
-
Size
92KB
-
MD5
67bfaac6be8e193f4a760fba392ab31b
-
SHA1
e6ad84722da5e386b455c9c8a941c2096dff9b11
-
SHA256
44f94b74bb9e588937aacc5c8ceb375d1cf188c41c3b48cdca39038892f32f87
-
SHA512
13d34ef9bfc14c9866b2a86fc8d360e8dcb3f01c20c0cecfbacd438ff946861ef9258ccd94e0fec4d698705cab4af9dd833edd2593f8dbf4c2de0676fd7a9315
-
SSDEEP
1536:92i98shPjjBkvWN/3HgGl+CocTzFJ0T72VpQ8:A/A7/HpBTzFJ0T72c8
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 67bfaac6be8e193f4a760fba392ab31b.exe Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qoiojaw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 67bfaac6be8e193f4a760fba392ab31b.exe -
Executes dropped EXE 1 IoCs
pid Process 4820 qoiojaw.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /i" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /x" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /m" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /y" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /c" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /p" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /s" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /a" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /q" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /f" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /e" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /v" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /r" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /n" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /u" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /z" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /j" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /o" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /k" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /h" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /a" 67bfaac6be8e193f4a760fba392ab31b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /l" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /d" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /t" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /w" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /b" qoiojaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoiojaw = "C:\\Users\\Admin\\qoiojaw.exe /g" qoiojaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1400 67bfaac6be8e193f4a760fba392ab31b.exe 1400 67bfaac6be8e193f4a760fba392ab31b.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe 4820 qoiojaw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1400 67bfaac6be8e193f4a760fba392ab31b.exe 4820 qoiojaw.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1400 wrote to memory of 4820 1400 67bfaac6be8e193f4a760fba392ab31b.exe 90 PID 1400 wrote to memory of 4820 1400 67bfaac6be8e193f4a760fba392ab31b.exe 90 PID 1400 wrote to memory of 4820 1400 67bfaac6be8e193f4a760fba392ab31b.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\67bfaac6be8e193f4a760fba392ab31b.exe"C:\Users\Admin\AppData\Local\Temp\67bfaac6be8e193f4a760fba392ab31b.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\qoiojaw.exe"C:\Users\Admin\qoiojaw.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD531e72bfbe4b3408bf73f4eb604152002
SHA19fdf8232a741130209db85dee6e4c0cf390c2b67
SHA256a77c9f5f833b49c9ccd5bc37f7b4ddba383bb1f1e7531f11c366a535e01824f0
SHA512c85da53b00a6c6e5ccd791cff036159216eff4ac0f2902e349473e8545edd18ccc753fd5940f2bc9a2e9d94fddc94bacbe7a1f56c7dd0fdcd32e5e8e98266bee