Analysis
-
max time kernel
300s -
max time network
285s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 07:18
Static task
static1
Behavioral task
behavioral1
Sample
qyKhB5f1ZqVwJKa5.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
qyKhB5f1ZqVwJKa5.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
qyKhB5f1ZqVwJKa5.exe
-
Size
298KB
-
MD5
29d631f3a6348fd7e4c303b3ce041e2f
-
SHA1
96851ded0e1a3a54c4de715642f9b7460effbb02
-
SHA256
1f7e0a861b1706f4503ad22b96e4d19526081f3e5e6fb73cc81bfced9c2a4556
-
SHA512
5938f9eca3f815e8fe0fdfeffb50c79b7195af22014a8bd579a4f5a34908a870ddc74c48d6cce7a2f0a0cdce762e839300a13482b3029305a545f924d18c87be
Score
7/10
Malware Config
Signatures
-
Drops startup file 2 IoCs
Processes:
qyKhB5f1ZqVwJKa5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qyKhB5f1ZqVwJKa5.exe qyKhB5f1ZqVwJKa5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qyKhB5f1ZqVwJKa5.exe qyKhB5f1ZqVwJKa5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
qyKhB5f1ZqVwJKa5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cry.img" qyKhB5f1ZqVwJKa5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1212 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1212 AUDIODG.EXE Token: 33 1212 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1212 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\qyKhB5f1ZqVwJKa5.exe"C:\Users\Admin\AppData\Local\Temp\qyKhB5f1ZqVwJKa5.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-58-0x000007FEFB651000-0x000007FEFB653000-memory.dmpFilesize
8KB
-
memory/1032-53-0x000007FEF1DF0000-0x000007FEF2E86000-memory.dmpFilesize
16.6MB
-
memory/1032-54-0x0000000000CB0000-0x0000000000CB2000-memory.dmpFilesize
8KB
-
memory/1032-55-0x0000000000CB6000-0x0000000000CD5000-memory.dmpFilesize
124KB
-
memory/1032-57-0x0000000000CD6000-0x0000000000CD7000-memory.dmpFilesize
4KB
-
memory/1032-56-0x0000000000CD5000-0x0000000000CD6000-memory.dmpFilesize
4KB