e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e877128b87282e4534d70de7820334.exe
Size

116KB
MD5

d6e877128b87282e4534d70de7820334
SHA1

bca452473d17be00f3be8686e7d3330289f8012e
SHA256

e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4
SHA512

84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb
SSDEEP

3072:98RTVXDNJqxSA5HDc3I3nNoOsRXurRUQzj+5z/U:SZRcx5VMpOKXur2Qf+5z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	Qrafoa.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Qrafoa.exe	d6e877128b87282e4534d70de7820334.exe
File opened for modification	C:\Windows\Qrafoa.exe	d6e877128b87282e4534d70de7820334.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qrafoa.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	Qrafoa.exe
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6e877128b87282e4534d70de7820334.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d6e877128b87282e4534d70de7820334.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	Qrafoa.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\International	Qrafoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe
2944	Qrafoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2944	1920	d6e877128b87282e4534d70de7820334.exe	28
PID 1920 wrote to memory of 2944	1920	d6e877128b87282e4534d70de7820334.exe	28
PID 1920 wrote to memory of 2944	1920	d6e877128b87282e4534d70de7820334.exe	28
PID 1920 wrote to memory of 2944	1920	d6e877128b87282e4534d70de7820334.exe	28

C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe
"C:\Users\Admin\AppData\Local\Temp\d6e877128b87282e4534d70de7820334.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\Qrafoa.exe
  C:\Windows\Qrafoa.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Twain001.Mtx

Filesize
2B

MD5
309fc7d3bc53bb63ac42e359260ac740

SHA1
2064f80f811db79a33c4e51c10221454e30c74ae

SHA256
ac11339ffa8f270c4f781e0a3922bb1c80d9dee6e4b6911ca34538ed9ae03caa

SHA512
77dd27d30f4e13a0bcd6fd27ae7567c136d87393e5ee632bccf05b0a0d2bbcc2fc0fd777a8508e26cc4fc579c8da0ab56b7bf179b1adc70f28f7d0eee89fa5f8

Download Submit
C:\Windows\Qrafoa.exe

Filesize
116KB

MD5
d6e877128b87282e4534d70de7820334

SHA1
bca452473d17be00f3be8686e7d3330289f8012e

SHA256
e93845b0415afde51a287be72c4d870c1ffa3384bd439fc025faefb587859cf4

SHA512
84d17adf7635ae683d3b86ea915a262ffb67a3a92f4046c862862cf59da473fcfd99080940271e36ff5cce280884d9626bdc8c217eece3a660e2ebb5544067eb

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
344B

MD5
75c6328bcaa211f5c7c50cc457846e88

SHA1
46c5054e08caf1ccd8df16b6cf1638fc22711b42

SHA256
309cf7cc03f1e868e220d7c047a4d8277248a825a0fe0ccccb03aabd69c60b48

SHA512
7f6d419d87ba90d01f0fdf2a18f7fa74aae55303b9309af301e0e8bef2a7c24473cb7749d958ba2c659b8fdcb9a8c9ccfdf2e1fb535366c69e7be817da7ab1d5

Download Submit
memory/1920-4754-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-1-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/1920-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1920-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-4752-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-5934-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-13869-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-18074-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-37497-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-46146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-46147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-46148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-46150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2944-46151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download