d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

Analysis

max time kernel
15s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QGFQTHIU.exe
Size

5.4MB
MD5

6e3dc1be717861da3cd7c57e8a1e3911
SHA1

767e39aa9f02592d4234f38a21ea9a0e5aa66c62
SHA256

d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30
SHA512

da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1
SSDEEP

98304:UK/ZoaSs+bgcPlK+rSN2xeELJ4g1x3+FbdYapMDrEPxiJVwJyHLcnP6WfwCA+D://uVs+bH9K+OGeIBSHqDIPI7WOLyyWfF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	QGFQTHIU.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	QGFQTHIU.exe
2900	QGFQTHIU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	QGFQTHIU.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2900	1656	QGFQTHIU.exe	30
PID 1656 wrote to memory of 2900	1656	QGFQTHIU.exe	30
PID 1656 wrote to memory of 2900	1656	QGFQTHIU.exe	30

C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe
"C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\TEMP\{659DF0CE-781E-4723-963D-23BC080E253A}\.cr\QGFQTHIU.exe
  "C:\Windows\TEMP\{659DF0CE-781E-4723-963D-23BC080E253A}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\Temp\{5ED1FA76-E8E0-4DC9-8616-3B386EE56F34}\.ba\Celesta.dll

Filesize
1.4MB

MD5
dad4d39ac979cf5c545116b4f459e362

SHA1
54632d73df4ddf43ab38ed66c00989ee55569f7d

SHA256
c63054e681f9acbec7e12a8ba691bc3657e3279825734517929ccd9f1e43db4d

SHA512
cb81c2a457d7a65a52a0cc03161308aeaa1e39b4cdaeb16e70dfefbe79212d015674e6662bf9d0edbb95a7d4de8b33d0dfdb9da3d214e537cf557f042362811d

Download Submit
\Windows\Temp\{659DF0CE-781E-4723-963D-23BC080E253A}\.cr\QGFQTHIU.exe

Filesize
4.8MB

MD5
74302d09606255cb10a7df3a744e6908

SHA1
c64b9de79b68cdd0531219c8be07110caee014bc

SHA256
b040fd107e566c5e4bbd3d84fc51ae33d393fd3a03b33d07772733e36a2eb25d

SHA512
451c91b9b8454755c5a816f88c99b42e228ec21d4ab36938daa72e49b1490e93df6d28c53f6e3f1d97b21cb747714966c144928e141c481e10550b3c7eaea961

Download Submit