Overview

overview

1

Static

static

10

qaz.exe

windows7_x64

1

qaz.exe

windows10_x64

1

Resubmissions

14/01/2022, 07:01 UTC

220114-htmcysfahp 10

21/07/2021, 06:34 UTC

210721-3fc9s711mx 10

Analysis

  • max time kernel
    123s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    21/07/2021, 06:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qaz.exe

  • Size

    489KB

  • MD5

    8f7205aaf80ce4b5d0ee8f00369f301a

  • SHA1

    401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26

  • SHA256

    655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5

  • SHA512

    1de8e8e3e4e8356067365571e90a812425ef18da2b7c210656f79683d41d3943e7fd052160978e370952afe8b14555a51871bd2c3923294c5057a8bb6d82b47d

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qaz.exe
    "C:\Users\Admin\AppData\Local\Temp\qaz.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2016
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1724
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:734212 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1036

Network

  • flag-us
    DNS
    update.centosupdates.com
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    update.centosupdates.com
    IN A
    Response
    update.centosupdates.com
    IN A
    107.191.61.40
  • flag-jp
    GET
    http://update.centosupdates.com/index.html
    IEXPLORE.EXE
    Remote address:
    107.191.61.40:80
    Request
    GET /index.html HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: update.centosupdates.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    Date: Wed, 21 Jul 2021 06:34:58 GMT
    Content-Length: 1245
  • flag-jp
    GET
    http://update.centosupdates.com/index.html
    IEXPLORE.EXE
    Remote address:
    107.191.61.40:80
    Request
    GET /index.html HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: update.centosupdates.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    Date: Wed, 21 Jul 2021 06:35:04 GMT
    Content-Length: 1245
  • flag-jp
    GET
    http://107.191.61.40/index.html
    IEXPLORE.EXE
    Remote address:
    107.191.61.40:80
    Request
    GET /index.html HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: 107.191.61.40
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    Date: Wed, 21 Jul 2021 06:35:10 GMT
    Content-Length: 1245
  • flag-jp
    GET
    http://107.191.61.40/index.html
    IEXPLORE.EXE
    Remote address:
    107.191.61.40:80
    Request
    GET /index.html HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Accept-Encoding: gzip, deflate
    Host: 107.191.61.40
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Content-Type: text/html
    Server: Microsoft-IIS/8.5
    Date: Wed, 21 Jul 2021 06:35:17 GMT
    Content-Length: 1245
  • 107.191.61.40:80
    update.centosupdates.com
    IEXPLORE.EXE
    144 B
     52 B
     3
    1
  • 107.191.61.40:80
    http://update.centosupdates.com/index.html
    http
    IEXPLORE.EXE
    499 B
     1.5kB
     5
    2

    HTTP Request

    GET http://update.centosupdates.com/index.html

    HTTP Response

    404
  • 107.191.61.40:80
    http://update.centosupdates.com/index.html
    http
    IEXPLORE.EXE
    499 B
     1.5kB
     5
    2

    HTTP Request

    GET http://update.centosupdates.com/index.html

    HTTP Response

    404
  • 107.191.61.40:80
    update.centosupdates.com
    IEXPLORE.EXE
    144 B
     52 B
     3
    1
  • 107.191.61.40:80
    update.centosupdates.com
    IEXPLORE.EXE
    144 B
     52 B
     3
    1
  • 107.191.61.40:80
    http://107.191.61.40/index.html
    http
    IEXPLORE.EXE
    832 B
     2.9kB
     7
    3

    HTTP Request

    GET http://107.191.61.40/index.html

    HTTP Response

    404

    HTTP Request

    GET http://107.191.61.40/index.html

    HTTP Response

    404
  • 8.8.8.8:53
    update.centosupdates.com
    dns
    IEXPLORE.EXE
    70 B
     86 B
     1
    1

    DNS Request

    update.centosupdates.com

    DNS Response

    107.191.61.40

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2008-61-0x000007FEFC471000-0x000007FEFC473000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2008-62-0x0000000002150000-0x0000000002160000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2016-60-0x0000000076A81000-0x0000000076A83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2016-65-0x0000000000100000-0x0000000000102000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.