f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 04:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
Size

208KB
MD5

c52bdaa68a352c604ef5dbc4a931d0a5
SHA1

cd675d26ae5dcaa4b3e562d63c56932b9870307d
SHA256

f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76
SHA512

9feac0cb143cb8d45e9e9b8b7212ddc597e3bb6f6aeab94232eb2204818299135f7f928b856ec173514d15a00049ef0a2ae11e729a1fdb967db192170098bc8e
SSDEEP

3072:U1T4Oxb6DSZFqKVE1RLg3pLy9y282E93YaK9D3hLPo1arep4Nr4NLthEjQT6c:09oGFqKVEXLyBC82JzPRNrQEj+

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	QHH.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\QHH.exe	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
File opened for modification	C:\windows\QHH.exe	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
File created	C:\windows\QHH.exe.bat	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QHH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
2920	QHH.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
2920	QHH.exe
2920	QHH.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2928	2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe	30
PID 2212 wrote to memory of 2928	2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe	30
PID 2212 wrote to memory of 2928	2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe	30
PID 2212 wrote to memory of 2928	2212	f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe	30
PID 2928 wrote to memory of 2920	2928	cmd.exe	32
PID 2928 wrote to memory of 2920	2928	cmd.exe	32
PID 2928 wrote to memory of 2920	2928	cmd.exe	32
PID 2928 wrote to memory of 2920	2928	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe
"C:\Users\Admin\AppData\Local\Temp\f6a0a047f77fb106fe136f4d815388f0a04450020511e10983bb9e44f2afda76.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\QHH.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\windows\QHH.exe
    C:\windows\QHH.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\QHH.exe.bat

Filesize
52B

MD5
3593e01cf8a632c7d8ce11e6941c4450

SHA1
f968030a856f6bd00bd51620e0bc72d34f34ec24

SHA256
4ef0cf410de4f0a21a73ef2fbe0eedad5a6b9ee1aef97930bd8f199b8d449065

SHA512
43e3ce37d215f32000cd786053326c93bf3842d6d63b3957a7c8f5da96f9751ed6e3a9f4ef8d397079fca54ee5d2549f72119d4d6d65bf95b73f276a54b39278

Download Submit
C:\windows\QHH.exe

Filesize
208KB

MD5
fc7b466a0b0fd371cc680fe9bad7d508

SHA1
3998606ed3d807b927d7e2c1df63dd7889480351

SHA256
dc3efb77039f58243fc2c18ad8851c2b79ea4afa5ea2383a91bdf28b6291e330

SHA512
1d765267666526cbd3b97c0c8c2085b675a46c5e56b39635b411faca08e51e7be2caac012ac237d914d2c796a9bcd4f42632e08f8afc7e4a7bdb0b7fd02b9e3f

Download Submit
memory/2212-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2212-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2920-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2928-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download