Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 12:02
Static task
static1
Behavioral task
behavioral1
Sample
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe
Resource
win10v20201028
Errors
General
-
Target
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe
-
Size
949KB
-
MD5
4ac96b4bc751beb32bff1b85f1b0668e
-
SHA1
f6fb3ba4b9980d2added4b5f106a99fe357658e8
-
SHA256
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5
-
SHA512
53ffa9b7f77f1c37a9d5212bd34f733644d51444a6839a04e5fb1b04178a98a5753bf4a3cd71c854b1d47b9ec89d7d6b57f6911f534633fb1572816a10ebdbaa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
notepader.exepid process 2192 notepader.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Loads dropped DLL 3 IoCs
Processes:
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exepid process 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\software\microsoft\windows\currentversion\run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\QwikMark = "C:\\Users\\Admin\\AppData\\Roaming\\QwikMark\\QwikMark.exe" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\libeay32.dll js -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid process Token: SeShutdownPrivilege 3564 shutdown.exe Token: SeRemoteShutdownPrivilege 3564 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2292 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exenotepader.exedescription pid process target process PID 880 wrote to memory of 2192 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe notepader.exe PID 880 wrote to memory of 2192 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe notepader.exe PID 880 wrote to memory of 2192 880 98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe notepader.exe PID 2192 wrote to memory of 3508 2192 notepader.exe reg.exe PID 2192 wrote to memory of 3508 2192 notepader.exe reg.exe PID 2192 wrote to memory of 3508 2192 notepader.exe reg.exe PID 2192 wrote to memory of 3564 2192 notepader.exe shutdown.exe PID 2192 wrote to memory of 3564 2192 notepader.exe shutdown.exe PID 2192 wrote to memory of 3564 2192 notepader.exe shutdown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe"C:\Users\Admin\AppData\Local\Temp\98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exe"C:\Users\Admin\AppData\Roaming\temp\notepader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add hkcu\software\microsoft\windows\currentversion\run /v QwikMark /d C:\Users\Admin\AppData\Roaming\QwikMark\QwikMark.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exeMD5
ac6686ab0d5c145bbcfddec99c143f62
SHA1f1d5793db4c3e788126930e0f5ad535e8406249b
SHA25699612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
SHA512ff40fafb995be7fe5a0f0bb7512d0cdda8b18b6aef1e8a90011831d63dfa187ce9f67cc5e60dc8df8fa2b42c19dd0415c5fb1428e29cdc07c435f55f473d0a99
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exeMD5
ac6686ab0d5c145bbcfddec99c143f62
SHA1f1d5793db4c3e788126930e0f5ad535e8406249b
SHA25699612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
SHA512ff40fafb995be7fe5a0f0bb7512d0cdda8b18b6aef1e8a90011831d63dfa187ce9f67cc5e60dc8df8fa2b42c19dd0415c5fb1428e29cdc07c435f55f473d0a99
-
\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
fa5def992198121d4bb5ff3bde39fdc9
SHA1f684152c245cc708fbaf4d1c0472d783b26c5b18
SHA2565264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305
SHA5124589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllMD5
834cd1be9a842cd06714ffc15f3b69c5
SHA156abf881d5cac709182f9e1e5ec1d975f378d1f6
SHA256ce580f987d9dd73d035ed44ae17fb4c7ed5e502f7aff3f6b19142c7d710cdd05
SHA512ad65ac34f0b89a79f46785b840e579db17080e22b3b2bb1986eb10026341e06f3626d3198eecfb6689acf5b87b2a7d07550ead4202d581f93c7745bd3cca38c5
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllMD5
834cd1be9a842cd06714ffc15f3b69c5
SHA156abf881d5cac709182f9e1e5ec1d975f378d1f6
SHA256ce580f987d9dd73d035ed44ae17fb4c7ed5e502f7aff3f6b19142c7d710cdd05
SHA512ad65ac34f0b89a79f46785b840e579db17080e22b3b2bb1986eb10026341e06f3626d3198eecfb6689acf5b87b2a7d07550ead4202d581f93c7745bd3cca38c5
-
memory/880-3-0x00000000034C0000-0x00000000035C1000-memory.dmpFilesize
1.0MB
-
memory/2192-9-0x0000000000000000-mapping.dmp
-
memory/3508-12-0x0000000000000000-mapping.dmp
-
memory/3564-13-0x0000000000000000-mapping.dmp