78e964883e5c4bf9e1e49eb1e2df92b3bc69a7a8bca1dd9fd828a8c7fc11c502

Analysis

max time kernel
100s
max time network
100s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
11/07/2024, 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qtemu-1.0.5.exe
Size

5.1MB
MD5

612517895c18fe7c0c9bc1b4b24d86bc
SHA1

064318f1c199340fd08c5e314347f5a93460dc83
SHA256

78e964883e5c4bf9e1e49eb1e2df92b3bc69a7a8bca1dd9fd828a8c7fc11c502
SHA512

efc5af9d426e085cf1b504f4c0bc3360415387ba1a85d4c1c9bbfab824fdbc0f9a7af04f1b5d95acf9442ae12ac3f029fb2977d7ad0c226df05ba0d4fe02648f
SSDEEP

98304:72KFnVM0ffH/0/0nAPfYsTbAwqaFT9+QjYwDcuy3hJJk/n0BNIGW:7bnVMM/0IWAsTbXqaHD6t02Ip

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1880	qtemu.exe
5124	qtemu.exe
572	qtemu.exe

Loads dropped DLL 11 IoCs

pid	Process
4028	qtemu-1.0.5.exe
4028	qtemu-1.0.5.exe
4028	qtemu-1.0.5.exe
1880	qtemu.exe
1880	qtemu.exe
5124	qtemu.exe
5124	qtemu.exe
5124	qtemu.exe
572	qtemu.exe
572	qtemu.exe
572	qtemu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\QtEmu\qtemu.exe	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\fr-ca	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\toolbar.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_1.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_7.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\libusb0.dll	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\hr	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\hu	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_de.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\Thumbs.db	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\de-ch	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\wizard_2_1.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\pxe-rtl8139.bin	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\lv	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\pl	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qtemu.ico	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\nl	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\tr	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_5.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\toolbar.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\wizard_1_1.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\vgabios.bin	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_7.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_5.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\SDL.dll	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\it	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\ja	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\sv	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_2.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\nl-be	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\ru	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\sl	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_cz.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\pxe-pcnet.bin	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\fr-ch	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\pt	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\License\LICENSE	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\License\README-SDL.txt	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\README-en.txt	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_4.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_8.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\pxe-ne2k_pci.bin	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\qemu-img.exe	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_6.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\wizard_2.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\pt-br	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_pl.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_2.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow_new_machine_3.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\QtXml4.dll	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_6.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\qemu.exe	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\et	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\keymaps\lt	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_es.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\main.htm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\de\mainwindow_new_machine_8.png	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\qemu-system-x86_64.exe	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_ru.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\QtGui4.dll	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\qemu\bios.bin	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\translations\qtemu_fr.qm	qtemu-1.0.5.exe
File created	C:\Program Files (x86)\QtEmu\help\mainwindow.png	qtemu-1.0.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
764	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1880	4028	qtemu-1.0.5.exe	83
PID 4028 wrote to memory of 1880	4028	qtemu-1.0.5.exe	83
PID 4028 wrote to memory of 1880	4028	qtemu-1.0.5.exe	83
PID 4028 wrote to memory of 1880	4028	qtemu-1.0.5.exe	83
PID 4028 wrote to memory of 1880	4028	qtemu-1.0.5.exe	83

C:\Users\Admin\AppData\Local\Temp\qtemu-1.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\qtemu-1.0.5.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files (x86)\QtEmu\qtemu.exe
  "C:\Program Files (x86)\QtEmu\qtemu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1880

C:\Program Files (x86)\QtEmu\qtemu.exe
"C:\Program Files (x86)\QtEmu\qtemu.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5124

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3244

C:\Program Files (x86)\QtEmu\qtemu.exe
"C:\Program Files (x86)\QtEmu\qtemu.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QtEmu\QtCore4.dll

Filesize
2.0MB

MD5
a8b36981c94b3ac4939df25c042b5018

SHA1
44ce335e10d67c8ede062f8d7f106976e25e87fb

SHA256
ba202701f0a7880897dcd5f2a36249f89321ddc0347841a29ed5feb56684d522

SHA512
26f34a4ce33849e10ef29d17441ff0bfea614bb4813ae2a5980372b816d2feb33f9b171519d0c99eccaa9b0be7bd79c4d1c32e61ca189f0ade3b8ea19c10f08e

Download Submit
C:\Program Files (x86)\QtEmu\QtGui4.dll

Filesize
8.7MB

MD5
20876b60db47e0151541194ad67cdb3f

SHA1
84536579e9cc0cd34fbc5a2fb9c43f8524e97f7e

SHA256
bbe83d9cd262541906c8d73798330cfdc7a496416916b1e66fd087c52d05568f

SHA512
e62bf094d702dfe04106e2d039e9fec005363ad1f351ee0adf74a5827e88102082090bc6fec1c2a6b31e1c97fc327f2884eb02f0f52dad9529392815e877c601

Download Submit
C:\Program Files (x86)\QtEmu\QtXml4.dll

Filesize
486KB

MD5
d10a84f9ad6358f0179b008b7c6431e7

SHA1
437d81303211c68b90589ffec477e802cb30bf12

SHA256
952c5f41249f55cedf743db9c81d2af505e66c8ec1fda8646820e73e8e93f67e

SHA512
4f47d33884914f1dd80ade119b30dc1705bbe1f5097d839f93bef421622381f46ccba304607e1d98c05c0206b6e353778143f4999e30e67453bc3a72b2aeaeed

Download Submit
C:\Program Files (x86)\QtEmu\qtemu.exe

Filesize
379KB

MD5
e906af086fabd8de81365ea915661c4a

SHA1
2b8ad0a4eb4e9497e302d942e86021d6384e3b99

SHA256
477923a4b486b7b87c620e1fa27c49d41d3d9387c4444b54c365dd0dcced367c

SHA512
ffc16dfe9b1813060678a9a0758f744ebd20ea453d6d8e8cb8fa8273fe320f484f4f6dcc19c5c0fb0c07563ef95a04a3ed0588f26cb5abb974536d1909543ef5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e3cc4e2b4ca0237131ff3f913d7c6077

SHA1
6f483b3175bff04b716b21ce8d5afb24da1b1d4e

SHA256
23fb315afa4f7e120c442981a11adaa77d673c84259ac6352c7a81e03dd17b86

SHA512
414eaa11678ce53082fbbfdd40cebb5c1064cfba756b9f3c23721cb57a5f2004e57e7cbfe6b0e608a8008f04a0488fd1b4241dd68de6e48459bd599fc99518f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA49E.tmp\InstallOptions.dll

Filesize
14KB

MD5
bec6315d69bcfd3588839959d326417f

SHA1
96086501633dea36373557f2b533e648822f1233

SHA256
a25228ed00282372cac3349296613884d6c7fa2f041b3ad7df8388659f9e20e5

SHA512
34e59e6427ead069150609329016c06f6e2b9cbb3a146c9ce243b88fb9a8dd727cc1c791d0741ef42e68b4dc5543922b990c15122b30967cbdd5cc4fdb064600

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA49E.tmp\LangDLL.dll

Filesize
5KB

MD5
2357801ccb2f2365712ef08be70443b0

SHA1
a18377161188b4f2fa60c7f6abbfceb49186f0a7

SHA256
83271293ac30de94c35e835c51a377722790a798c0ca0649092a0a60a9bbc349

SHA512
8bb2232fc74afa996457710c3f6f06f8ce0da08f6aa17f21f756e871dd2a322222bcf4a6347eac1b2096d5f958bd75e4d56572fd871103c2a54e711bfe54bcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA49E.tmp\ioSpecial.ini

Filesize
614B

MD5
dab028d66d545345740a10e5162dd8a2

SHA1
303fa9ea3390658e64827e5ef0c1f07a6501079f

SHA256
7ff68458700c51ec84963f3ad6dd21e3d51e33a199f9bd3c30ca17665fc0e600

SHA512
a5fbb4eafa846edd803e1b429ca8c56bda89c31adef0eb60464017ef10c13628dfe40d1790b1f2d3515a6a207409c42f9c9ba846de4ad23a98bf12303c4f3001

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA49E.tmp\ioSpecial.ini

Filesize
627B

MD5
40977ee337a9d0fddaf9d55e99bfcbb5

SHA1
bd47dadfa3abff6cf428382ca84b214f531abff3

SHA256
f2d879212afae18f9f2cadd08ec348d4425fb7b664b72dda06fc211c278682d5

SHA512
6beea6fbfbbe1ab3d8e8a9dc2bff8501d17dba97e76586cc147e9e3062a85dbe45e43694466c685d351747265c7bc34e0a5275a6ebfa9b7166d8ec0fe6cfc5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA49E.tmp\ioSpecial.ini

Filesize
699B

MD5
8347b16ff79a4ec98ee81dcd8ec2eb81

SHA1
875ae7677dba907f49cf442f4484c0ea3810ad0e

SHA256
a56648f6ad4235e58aac94c02275cb45216a15a16ac905027c93f463ab83cf83

SHA512
4b0d05f1aef813c54243747f924d90715a91191671b0e9ab91af5099257a679bad15f1189fee0c97edaa9533bff7d8fa7ffea550f05b1ae75f36003b25d844db

Download Submit