Analysis Overview
SHA256
07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66
Threat Level: Known bad
The file 07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:23
Platform
win7-20231129-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\laqeg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\laqeg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\laqeg = "C:\\Users\\Admin\\laqeg.exe" | C:\Users\Admin\laqeg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe | N/A |
| N/A | N/A | C:\Users\Admin\laqeg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe
"C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe"
C:\Users\Admin\laqeg.exe
"C:\Users\Admin\laqeg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns3.theimageparlour.net | udp |
| US | 206.189.185.75:8000 | ns3.theimageparlour.net | tcp |
Files
memory/2196-0-0x0000000000400000-0x000000000042D000-memory.dmp
\Users\Admin\laqeg.exe
| MD5 | 72638a89bfc2a0f2e5d386d7f1e11f87 |
| SHA1 | 8f3be8eb3ba2e7e051e32920a3ed2e4f04cb9718 |
| SHA256 | 53b8278bcf25c0b127af218c7c9ebca1919af5ad5a9d0a970a73839b323f73d3 |
| SHA512 | 5601606b65b7bbb2979fa73f5836aff9da128c9423d967bedff04feb989e149f6a88d8138f0fa526cea1d8bfef01a13e24fefc9075f09688ec335090578e0e3d |
memory/2196-9-0x0000000003C70000-0x0000000003C9D000-memory.dmp
memory/2196-14-0x0000000003C70000-0x0000000003C9D000-memory.dmp
memory/2144-16-0x0000000000400000-0x000000000042D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:20
Reported
2024-04-07 18:23
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\qlviis.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\qlviis.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qlviis = "C:\\Users\\Admin\\qlviis.exe" | C:\Users\Admin\qlviis.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe | N/A |
| N/A | N/A | C:\Users\Admin\qlviis.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe
"C:\Users\Admin\AppData\Local\Temp\07a689b13a762ea04a4ce737e1ab5bf07b941766b4dd39ce042733727cd82c66.exe"
C:\Users\Admin\qlviis.exe
"C:\Users\Admin\qlviis.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns2.theimageparlour.net | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/2208-0-0x0000000000400000-0x000000000042D000-memory.dmp
C:\Users\Admin\qlviis.exe
| MD5 | 1d18e65f848975345799bbc904763301 |
| SHA1 | 5bab6e0642ce0617c39963c32b2867c7ae70bffa |
| SHA256 | 9c34ae20ce2f84721775df228d83859fcfac6c2557101315e58b9a1141f5475d |
| SHA512 | 9c8f2b361217942626ee3297de7a8519a2f8c4d19beb6d5679b682cb733193cd68f55f50bdd5ece35fd18ba9c139e4b21179680373f0ce29a0f5b5e59ccfbf1b |
memory/3744-21-0x0000000000400000-0x000000000042D000-memory.dmp