Overview

overview

8

Static

static

URLScan

urlscan

https://qaz.im/load/...

windows10_x64

8

Resubmissions

02-10-2021 09:27

211002-le22mseba6 8

02-10-2021 09:25

211002-ld3a1secbn 8

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    02-10-2021 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://qaz.im/load/GADT9F/Bb9GRt

  • Sample

    211002-le22mseba6

Score
8/10
pyinstaller

Malware Config

Signatures

  • Downloads MZ/PE file
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://qaz.im/load/GADT9F/Bb9GRt
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3732 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3904
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4400
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\system32\dashost.exe
        dashost.exe {fb40ace3-9205-431e-9d72f8b3b0388487}
        2⤵
          PID:4520
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:760
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\fdils_kdiwl.mp4
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:3228

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        MD5

        3f3551c43887e7b5c182de5cafb20bda

        SHA1

        42ce339d805c81a81f2562bc99c302e6fbba0968

        SHA256

        071d4d8c4eab632e8b1dc87b811bf558bb37ba5aa0ade0c380254897bfac6c08

        SHA512

        c98832059737978197b256b2e7578145a9fe1e0a5f8731431eefdc0f7d331010b5fc947afb8eb54adf3728acd16bfff18d6b5eff1c75831e6d347e8f1b55afe1

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        MD5

        266a3c8a054dbed841ac418ee7984adb

        SHA1

        9d3e3adb24d5825b70267487f2b4fe5bff0da7f8

        SHA256

        78a2f9491ff795e5c389219df59e7a61a7d76de16b2ddf4f9df557c96359666f

        SHA512

        2b36c91f4fbf61b1b1f2390aee03ee120434d8e6613e1571f1fe9dae32d56233dda3539676fb80c690764b0a92e54930e49549166caa24a39f06a00a1abe2cd7

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QD1LE119.cookie
        MD5

        07a9bc582074933634c52b297980a503

        SHA1

        fd134762f1b2910d136b2ceb4af4edf0761f6f7b

        SHA256

        7dd413aacb2bf5a2f239c952bf7653255a71a63630c276f04690234449a025a9

        SHA512

        3a6b535b37e345e3fbf2bf0c0f953efe961251191a9c3efbb9df3d9cbe0e64d8e495288b7608238b54d0072c80824f3c92bc12cf081e19042783c68f4c87f3ce

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VZ7IWFI0.cookie
        MD5

        ea81f3105e4245c6c3c14610f60ecf16

        SHA1

        9cac18fe229f824393d83e20351ce992fc1488c9

        SHA256

        e54820704002832523708a68d5974c3453350a1f84d91600f4b5b8f92442e604

        SHA512

        38b5034158b56cb613b37b1747ec5df658d701185fd002079743ba30107d03dc9ae020843d3bb13762cf99b410ea0f90de3b4e3b137380a68259e7706791ccfb

        Download Submit
      • C:\Users\Admin\Downloads\fdils_kdiwl.mp4.gc2c2hj.partial
        MD5

        f203e938be3fe17ebf389ade9c6b2c9e

        SHA1

        85c697602efae829e8765a671b36e705a7c96662

        SHA256

        f0676c64a2f27a02d7947ad41eecfcd9fde5b47ea8fcb9be2a3838cb7dc86128

        SHA512

        fcb03c204577fc655361610ee27db83eb87a18ed17291055ef0c94de9df5de18e0624972ab4148cc6d3c2ffbcd5e63cc6ceb59292fd468687fac935bafff0030

        Download Submit
      • memory/3228-121-0x0000000000000000-mapping.dmp
        Download
      • memory/3732-115-0x00007FFC0B190000-0x00007FFC0B1FB000-memory.dmp
        Filesize

        428KB

        Download
      • memory/3904-116-0x0000000000000000-mapping.dmp
        Download
      • memory/4520-120-0x0000000000000000-mapping.dmp
        Download