Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 12:02
Errors
General
-
Target
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe
-
Size
949KB
-
MD5
4ac96b4bc751beb32bff1b85f1b0668e
-
SHA1
f6fb3ba4b9980d2added4b5f106a99fe357658e8
-
SHA256
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5
-
SHA512
53ffa9b7f77f1c37a9d5212bd34f733644d51444a6839a04e5fb1b04178a98a5753bf4a3cd71c854b1d47b9ec89d7d6b57f6911f534633fb1572816a10ebdbaa
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe"C:\Users\Admin\AppData\Local\Temp\98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exe"C:\Users\Admin\AppData\Roaming\temp\notepader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add hkcu\software\microsoft\windows\currentversion\run /v QwikMark /d C:\Users\Admin\AppData\Roaming\QwikMark\QwikMark.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -f -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exeMD5
ac6686ab0d5c145bbcfddec99c143f62
SHA1f1d5793db4c3e788126930e0f5ad535e8406249b
SHA25699612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
SHA512ff40fafb995be7fe5a0f0bb7512d0cdda8b18b6aef1e8a90011831d63dfa187ce9f67cc5e60dc8df8fa2b42c19dd0415c5fb1428e29cdc07c435f55f473d0a99
-
C:\Users\Admin\AppData\Roaming\temp\notepader.exeMD5
ac6686ab0d5c145bbcfddec99c143f62
SHA1f1d5793db4c3e788126930e0f5ad535e8406249b
SHA25699612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
SHA512ff40fafb995be7fe5a0f0bb7512d0cdda8b18b6aef1e8a90011831d63dfa187ce9f67cc5e60dc8df8fa2b42c19dd0415c5fb1428e29cdc07c435f55f473d0a99
-
\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
fa5def992198121d4bb5ff3bde39fdc9
SHA1f684152c245cc708fbaf4d1c0472d783b26c5b18
SHA2565264a4a478383f501961f2bd9beb1f77a43a487b76090561bba2cbfe951e5305
SHA5124589382a71cd3a577b83bab4a0209e72e02f603e7da6ef3175b6a74bd958e70a891091dbdff4be0725baca2d665470594b03f074983b3ed3242e5cd04783fdba
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllMD5
834cd1be9a842cd06714ffc15f3b69c5
SHA156abf881d5cac709182f9e1e5ec1d975f378d1f6
SHA256ce580f987d9dd73d035ed44ae17fb4c7ed5e502f7aff3f6b19142c7d710cdd05
SHA512ad65ac34f0b89a79f46785b840e579db17080e22b3b2bb1986eb10026341e06f3626d3198eecfb6689acf5b87b2a7d07550ead4202d581f93c7745bd3cca38c5
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllMD5
834cd1be9a842cd06714ffc15f3b69c5
SHA156abf881d5cac709182f9e1e5ec1d975f378d1f6
SHA256ce580f987d9dd73d035ed44ae17fb4c7ed5e502f7aff3f6b19142c7d710cdd05
SHA512ad65ac34f0b89a79f46785b840e579db17080e22b3b2bb1986eb10026341e06f3626d3198eecfb6689acf5b87b2a7d07550ead4202d581f93c7745bd3cca38c5
-
memory/880-3-0x00000000034C0000-0x00000000035C1000-memory.dmpFilesize
1.0MB
-
memory/2192-9-0x0000000000000000-mapping.dmp
-
memory/3508-12-0x0000000000000000-mapping.dmp
-
memory/3564-13-0x0000000000000000-mapping.dmp