Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-01-2025 08:47

General

  • Target

    QGFQTHIU.exe

  • Size

    5.4MB

  • MD5

    6e3dc1be717861da3cd7c57e8a1e3911

  • SHA1

    767e39aa9f02592d4234f38a21ea9a0e5aa66c62

  • SHA256

    d4a388cc151fa56379f9ac6ef8b7851b6750c2ecfc2c8f6904ac6002865c4f30

  • SHA512

    da91742e1494c027616e114e42d3333d61eda91379f6ad2ba415dc39e0b5165a25498d60537b3cb12a49267c306dfbec87d3af528e27abc9946cd5fda6b129c1

  • SSDEEP

    98304:UK/ZoaSs+bgcPlK+rSN2xeELJ4g1x3+FbdYapMDrEPxiJVwJyHLcnP6WfwCA+D://uVs+bH9K+OGeIBSHqDIPI7WOLyyWfF

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe
    "C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\TEMP\{92532FE1-0DA2-40A3-9D09-5ED5C909C13A}\.cr\QGFQTHIU.exe
      "C:\Windows\TEMP\{92532FE1-0DA2-40A3-9D09-5ED5C909C13A}\.cr\QGFQTHIU.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\QGFQTHIU.exe" -burn.filehandle.attached=188 -burn.filehandle.self=184
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Windows\Temp\{92532FE1-0DA2-40A3-9D09-5ED5C909C13A}\.cr\QGFQTHIU.exe

    Filesize

    4.8MB

    MD5

    74302d09606255cb10a7df3a744e6908

    SHA1

    c64b9de79b68cdd0531219c8be07110caee014bc

    SHA256

    b040fd107e566c5e4bbd3d84fc51ae33d393fd3a03b33d07772733e36a2eb25d

    SHA512

    451c91b9b8454755c5a816f88c99b42e228ec21d4ab36938daa72e49b1490e93df6d28c53f6e3f1d97b21cb747714966c144928e141c481e10550b3c7eaea961

  • \Windows\Temp\{E08992B0-BC68-427E-8EAE-B74468688623}\.ba\Celesta.dll

    Filesize

    1.4MB

    MD5

    dad4d39ac979cf5c545116b4f459e362

    SHA1

    54632d73df4ddf43ab38ed66c00989ee55569f7d

    SHA256

    c63054e681f9acbec7e12a8ba691bc3657e3279825734517929ccd9f1e43db4d

    SHA512

    cb81c2a457d7a65a52a0cc03161308aeaa1e39b4cdaeb16e70dfefbe79212d015674e6662bf9d0edbb95a7d4de8b33d0dfdb9da3d214e537cf557f042362811d

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.