a26a41df347ecd6d84efe32ad99d5a014d56b7bfc3224ddf975ea11acfd538b7

General

Target

MV SHUHA QUEEN II.exe
Size

1.1MB
MD5

e9e25dd97f4581cc0abbbca12d150269
SHA1

01d837bc35319fc582c049321f7bffb1b651cede
SHA256

a26a41df347ecd6d84efe32ad99d5a014d56b7bfc3224ddf975ea11acfd538b7
SHA512

94993d5a2e0cac402d2dd8034378a30f05141f77a1ecc177831990fef912b8e4f5d44b82e8ffa139b2498bf24e471d956f7cff0e4003f735543b42f06d30f82a
SSDEEP

24576:rAHnh+eWsN3skA4RV1Hom2KXMmHa/KRTtfnt0Ctfi93aBPc5:Gh+ZkldoPK8Ya/KtFnF1i9qBq

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1124 set thread context of 1176	1124	svchost.exe	21
PID 1124 set thread context of 2832	1124	svchost.exe	32
PID 2832 set thread context of 1176	2832	PresentationHost.exe	21

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
1124	svchost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe
2832	PresentationHost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1744	MV SHUHA QUEEN II.exe
1124	svchost.exe
1176	Explorer.EXE
1176	Explorer.EXE
2832	PresentationHost.exe
2832	PresentationHost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1744	MV SHUHA QUEEN II.exe
1744	MV SHUHA QUEEN II.exe
1176	Explorer.EXE
1176	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1744	MV SHUHA QUEEN II.exe
1744	MV SHUHA QUEEN II.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1744 wrote to memory of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1744 wrote to memory of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1744 wrote to memory of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1744 wrote to memory of 1124	1744	MV SHUHA QUEEN II.exe	30
PID 1176 wrote to memory of 2832	1176	Explorer.EXE	32
PID 1176 wrote to memory of 2832	1176	Explorer.EXE	32
PID 1176 wrote to memory of 2832	1176	Explorer.EXE	32
PID 1176 wrote to memory of 2832	1176	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\MV SHUHA QUEEN II.exe
  "C:\Users\Admin\AppData\Local\Temp\MV SHUHA QUEEN II.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\MV SHUHA QUEEN II.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1124
- C:\Windows\SysWOW64\PresentationHost.exe
  "C:\Windows\SysWOW64\PresentationHost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\maneuverability

Filesize
265KB

MD5
e7e9ae0bc83d427060e88cc7b8ff432b

SHA1
41b09d0238c2b315e819ab011f06470e318ae1c3

SHA256
3ec24b8ed8ed5db0ed920ae73e419e4087721e99096eb48cdff502902b03ea12

SHA512
f16ce4adc642e81b54e2534ef427bb8b274f67682cc6ae4b747ba270019bc61702e8a4015282dda1b0856ebc421ac135effd4661759bdb1b427c3cca82cb492d

Download Submit
memory/1124-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-13-0x0000000000790000-0x0000000000A93000-memory.dmp

Filesize
3.0MB

Download
memory/1124-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-17-0x0000000000180000-0x000000000019F000-memory.dmp

Filesize
124KB

Download
memory/1124-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1124-22-0x0000000000180000-0x000000000019F000-memory.dmp

Filesize
124KB

Download
memory/1176-25-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1744-11-0x0000000000170000-0x0000000000174000-memory.dmp

Filesize
16KB

Download
memory/2832-19-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2832-23-0x0000000002700000-0x0000000002A03000-memory.dmp

Filesize
3.0MB

Download
memory/2832-24-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2832-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2832-26-0x0000000000DF0000-0x0000000000E8E000-memory.dmp

Filesize
632KB

Download
memory/2832-27-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing