56a0ef6b4418afd3eca2b852c8f0efdace0363f826007b440fb8227952a4068b

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c305aa7e29543ed07b581fb035d44f0N.exe
Size

123KB
MD5

0c305aa7e29543ed07b581fb035d44f0
SHA1

f9297fb44a8ada5202d38845c41f27e9069dff02
SHA256

56a0ef6b4418afd3eca2b852c8f0efdace0363f826007b440fb8227952a4068b
SHA512

a58baabe33556b7a6918993ddd1736ef876e4c0ecdc75faf693825fc4e5003c5dcc4a9c385e83a40ca4b16d6e9449ede38fbb4527424bbc71b5d004e952b5e07
SSDEEP

1536:bW+gAu7KvYjk4p+NLMwL4csFkcUbVuyfjDLYujjX4m4GuDOHXVUUqpJtq9rY+OLT:aqwgG8h+S4y/LYKMXpD2ypjq9rY+O

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0c305aa7e29543ed07b581fb035d44f0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	qatij.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	0c305aa7e29543ed07b581fb035d44f0N.exe

Executes dropped EXE 2 IoCs

pid	Process
1712	qatij.exe
4856	qatij.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /o"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /t"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /r"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /u"	0c305aa7e29543ed07b581fb035d44f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /d"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /u"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /g"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /q"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /z"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /s"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /m"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /h"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /w"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /n"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /x"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /e"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /v"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /a"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /l"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /b"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /j"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /y"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /c"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /k"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /f"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /p"	qatij.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qatij = "C:\\Users\\Admin\\qatij.exe /i"	qatij.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	qatij.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	qatij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0c305aa7e29543ed07b581fb035d44f0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	0c305aa7e29543ed07b581fb035d44f0N.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\c\autorun.inf	qatij.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 1712 set thread context of 4856	1712	qatij.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qatij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qatij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c305aa7e29543ed07b581fb035d44f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c305aa7e29543ed07b581fb035d44f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2652	0c305aa7e29543ed07b581fb035d44f0N.exe
2652	0c305aa7e29543ed07b581fb035d44f0N.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe
4856	qatij.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2184	0c305aa7e29543ed07b581fb035d44f0N.exe
2652	0c305aa7e29543ed07b581fb035d44f0N.exe
1712	qatij.exe
4856	qatij.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2184 wrote to memory of 2652	2184	0c305aa7e29543ed07b581fb035d44f0N.exe	84
PID 2652 wrote to memory of 1712	2652	0c305aa7e29543ed07b581fb035d44f0N.exe	89
PID 2652 wrote to memory of 1712	2652	0c305aa7e29543ed07b581fb035d44f0N.exe	89
PID 2652 wrote to memory of 1712	2652	0c305aa7e29543ed07b581fb035d44f0N.exe	89
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90
PID 1712 wrote to memory of 4856	1712	qatij.exe	90

C:\Users\Admin\AppData\Local\Temp\0c305aa7e29543ed07b581fb035d44f0N.exe
"C:\Users\Admin\AppData\Local\Temp\0c305aa7e29543ed07b581fb035d44f0N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\0c305aa7e29543ed07b581fb035d44f0N.exe
  74
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Checks computer location settings
  - Adds Run key to start application
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\qatij.exe
    "C:\Users\Admin\qatij.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Users\Admin\qatij.exe
      74
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Maps connected drives based on registry
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\c\Passwords.exe

Filesize
123KB

MD5
117530a988ade1d1dd6c465bcea1760a

SHA1
612f74c27175fdff840efe86512dc7e1ed36b013

SHA256
0ef04ba056a44e1c819a4a0959cff2f287ff67fa483177ac6204c5956b17c650

SHA512
7d827a124deb8165da8aad7fc77b1646fa1a0cc08b8610d16abb2b1be7a0f5242473d4ca3a214f19d36f97589e9e86577136e285c38197830102355bfd5050ae

Download Submit
C:\Users\Admin\c\Porn.exe

Filesize
123KB

MD5
83222bae53a8ff644998d8b3a78b0522

SHA1
c76fb08f5088100dd094e9747c09c062496360d3

SHA256
158a0d1d98887659ea34f54fdad7eebcd92eb41d66b23fb19ad06010f31bd3ef

SHA512
100636d4ccf43fd69f1a75597bcfccbd23beb28b1179aade56aa4da975d19f986c1f6d040a1bf6f4b16f8a01e2b6873ac8c7f77780606ab7b40338422ba3961c

Download Submit
C:\Users\Admin\qatij.exe

Filesize
123KB

MD5
0c305aa7e29543ed07b581fb035d44f0

SHA1
f9297fb44a8ada5202d38845c41f27e9069dff02

SHA256
56a0ef6b4418afd3eca2b852c8f0efdace0363f826007b440fb8227952a4068b

SHA512
a58baabe33556b7a6918993ddd1736ef876e4c0ecdc75faf693825fc4e5003c5dcc4a9c385e83a40ca4b16d6e9449ede38fbb4527424bbc71b5d004e952b5e07

Download Submit
memory/2652-91-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-93-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-103-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-45-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-101-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-87-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-99-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-97-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-95-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2652-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-94-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-92-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-90-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-98-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-88-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-100-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-86-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-102-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-47-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4856-104-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download