Overview

overview

10

Static

static

3

7701ca2469...64.exe

windows7-x64

10

7701ca2469...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe

  • Size

    60KB

  • MD5

    59f7a894987bece515c3f0a52f4251d3

  • SHA1

    17e248984a94b6f31b3f27e8a38f30eacb78d24f

  • SHA256

    7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664

  • SHA512

    fd320a382474e92395fa6b5834a2a2db04d119c85ed8f46ac74bbf0a3a8c38cd3e517b38c6ddb7be1cc4c22c6ffa8262c2605643892759ac9f6d5ab2d7ffcfde

  • SSDEEP

    1536:ocvhZCVZL22/BtJ1DG2xNMfMZec4feLdlzok:fqVM2/deGLdlzn

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe
    "C:\Users\Admin\AppData\Local\Temp\7701ca24698ee8fb94bd5ef71d9fb09f7e3bf80e080a9abc7aa30912674ae664.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\qeayie.exe
      "C:\Users\Admin\qeayie.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\qeayie.exe
    Filesize

    60KB

    MD5

    3e699f09c17f33ad3b0cd095a58e08bc

    SHA1

    fb08d64fd8613406e9d0ee89366e0ad35b16dc67

    SHA256

    b921f4d140ccd02e6c7cf24568e53df2191b744698202b7a45b68d2c0063c33f

    SHA512

    bfb4b4d7354511bd0f4e4e90d0813a2181bf76a4e269c67c7fcd197e2d42eb70ae85ace983c7b2264e4ac9331184a5ef9b5fc2e4bea3d12e38cbd0d9de624116

    Download Submit