820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4

General

Target

820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
Size

53KB
MD5

3c47989e072fef3ec39602475f91040a
SHA1

3a371f0ee32fb56f4f56af8179ebcdaebd60c498
SHA256

820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4
SHA512

64573c462998440ae219371bf64692219e5500ab17d1cac0e4f1209b361a0dfd8e30fe7491e012d60030e58f5c899b54f663bb9dd72ea9e6db80c32b5daf0cfc
SSDEEP

1536:vNLg8r8QUGLI37Kp3StjEMjmLM3ztDJWZsXy4JzxPME:mGL2JJjmLM3zRJWZsXy4JN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

qiayoob.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qiayoob.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe

Executes dropped EXE 1 IoCs

Processes:

qiayoob.exe

pid process

4988 qiayoob.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qiayoob.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qiayoob = "C:\\Users\\Admin\\qiayoob.exe"	qiayoob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

qiayoob.exe

pid	process
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe
4988	qiayoob.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exeqiayoob.exe

pid process

3012 820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
4988 qiayoob.exe

pid	process
3012	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
4988	qiayoob.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exeqiayoob.exe

description	pid	process	target process
PID 3012 wrote to memory of 4988	3012	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe	qiayoob.exe
PID 3012 wrote to memory of 4988	3012	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe	qiayoob.exe
PID 3012 wrote to memory of 4988	3012	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe	qiayoob.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
PID 4988 wrote to memory of 3012	4988	qiayoob.exe	820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe

C:\Users\Admin\AppData\Local\Temp\820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe
"C:\Users\Admin\AppData\Local\Temp\820ba76bd225bca9e342d0599eb7d6da2774903256d99bb336cf531d2f52a1d4.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\qiayoob.exe
"C:\Users\Admin\qiayoob.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\qiayoob.exe

Filesize
53KB

MD5
34b03c1dee44aa3f800506efd9d1f48a

SHA1
ac897b0958546afb5a1f6c61f68af86a2b289c28

SHA256
1e7423badda46be2d9d56559d226c2f75bd149b794194575783f38e037faffdc

SHA512
12ace8cfe5dde1da8a217e4c776059d459ce12c25658d37ccdb34f69d286a8c2bf6623ea7926f790a6246c6a9e13d44e2fb650fa48e36413b0e069fdc90015d5

Download Submit
memory/3012-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4988-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads