1cb927ec838ca94fef66ba6968112eb8f02f1227208bbbe04a0876e7cb1c6d27

General

Target

_Redist/QuickSFV.exe
Size

101KB
MD5

4b1d5ec11b2b5db046233a28dba73b83
SHA1

3a4e464d3602957f3527727ea62876902b451511
SHA256

a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c
SHA512

fcd653dbab79dbedca461beb8d01c2a4d0fd061fcfba50ffa12238f338a5ea03e7f0e956a3932d785e453592ce7bb1b8a2f1d88392e336bd94fb94a971450b69
SSDEEP

1536:lYfzZTBgMtgBKOX8eXDfRQpDm63htpmKvEZfn0X8u165J+S0YKxjy1:liVTBTgQOX80I59VJ165J+S0YKx+1

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 34 IoCs

Processes:

QuickSFV.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	QuickSFV.exe
Key created	\Registry\User\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\NotificationData	QuickSFV.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	QuickSFV.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	QuickSFV.exe
Key created	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	QuickSFV.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	QuickSFV.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	QuickSFV.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-175642277-3213633112-3688900201-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	QuickSFV.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

QuickSFV.exe

pid process

804 QuickSFV.exe

pid	process
804	QuickSFV.exe

C:\Users\Admin\AppData\Local\Temp\_Redist\QuickSFV.exe
"C:\Users\Admin\AppData\Local\Temp\_Redist\QuickSFV.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
779f72ca194058cf3dcdd0085d34a172

SHA1
3dc4a66122920cadfa5a3c9fddb60c8686c8828e

SHA256
d7d52d4b6bf24e4d07442caf581a0962d28c3ddd90a125d0055e7636de0c3028

SHA512
aa0d11b12603b20bdba725342c3b39434856134b720c5f568678ac8cb00b8ebd05562df17def780a1d1ebff47c04fd71e2ab13a2c0472575f9ff16f9a37335d4

Download Submit

Analysis

Sharing