47f68134f9c71dde968bb8b4212254679e344722f661e264ddbf82bbaa71fd97

General

Target

03ee17001fd980d503fa27e19762eea0N.exe
Size

1.3MB
MD5

03ee17001fd980d503fa27e19762eea0
SHA1

a6b5e8a0df364c17ae0ccc61954829852d18ab19
SHA256

47f68134f9c71dde968bb8b4212254679e344722f661e264ddbf82bbaa71fd97
SHA512

4b7d109f16a4473b501ac5dbb0942f1dc5fa3fb480f823d9302319212805c034f8f8989a0f9b9576d5440a4995911a3c1bbd15efcc9078f0f2d2dcecdb7d926d
SSDEEP

24576:T2mWtmV2nxeGG3O1JJtZbLOTePN6lQvbOI1QjIVE0+4+Lu+:It/tB1JRL11vvaCQUVE0l+Lu

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1956	QTalk.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	QTalk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	03ee17001fd980d503fa27e19762eea0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QTalk.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	03ee17001fd980d503fa27e19762eea0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	03ee17001fd980d503fa27e19762eea0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	03ee17001fd980d503fa27e19762eea0N.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}\InprocServer32	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}\InprocServer32	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	QTalk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}	QTalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}\InprocServer32\ = "C:\\ProgramData\\ffagffceefaf.dll"	QTalk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{646BAAE7-7538-4866-8EEE-974C0AA910AB}\InprocServer32\ = "C:\\ProgramData\\ffagffceefaf.dll"	QTalk.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1956	2420	03ee17001fd980d503fa27e19762eea0N.exe	91
PID 2420 wrote to memory of 1956	2420	03ee17001fd980d503fa27e19762eea0N.exe	91
PID 2420 wrote to memory of 1956	2420	03ee17001fd980d503fa27e19762eea0N.exe	91

C:\Users\Admin\AppData\Local\Temp\03ee17001fd980d503fa27e19762eea0N.exe
"C:\Users\Admin\AppData\Local\Temp\03ee17001fd980d503fa27e19762eea0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2420
- C:\ProgramData\ffagffce\QTalk.exe
  C:\ProgramData\ffagffce\QTalk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ffagffce\InprocServer32.txt

Filesize
31B

MD5
7d2f899528571e16ccd3cb844a6245bc

SHA1
8a0ddc4589b9c1f9971c51f61fa8ea5cd3ef734b

SHA256
fa8d4cf5a228041f7f83336705b49140340a5ac2e6aa8dfb8d067b3ef4529c03

SHA512
f448388f75e1b21d951195956ae9c71a94ce49a23708908270d260cf3c4a74967b14ccf37cdf52c02cd848cde2601b9b416d84fd978989ab0f85d640580f3561

Download Submit
C:\ProgramData\ffagffce\QSpeak.dll

Filesize
91KB

MD5
4d6df756a7186e5eb49b743622ebb5dc

SHA1
eec909d170a79c2b71a27d415420d2f513cdad03

SHA256
c7d5e72384948cf91e5731cb38882a11ecee909d23cc9801735d29313ccca2da

SHA512
b0265c3e7235cc378d0e1f5e3c864c980e4b4127598a5d5b82d9ba8acebb19c4ce225930b45cbdccf2746c842ade6f6b6603ed9e638889ebb852643caca4bdbd

Download Submit
C:\ProgramData\ffagffce\QTalk.exe

Filesize
247KB

MD5
e253e3a7d7563e6b45444c2ecb9dec36

SHA1
e3077a0744e9c702e7986b921982a297cda75d20

SHA256
4fc64fd8fed329c65bc1aa2c5fed62bad54cb3bf9e5ddfc97f4342cf90f45a6a

SHA512
a07c4c16d907f6df17b0c16442a6a5528a98d4aec6baa5972224bf1d6c775d9f5f712775aded4c20e82aeb172236f927e97875852e6272652b173dee9aaefc06

Download Submit

Analysis

Sharing