Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-05-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
UQD_211116.exe
Resource
win7-20220414-en
General
-
Target
UQD_211116.exe
-
Size
11.7MB
-
MD5
4dadc2245fc209e51d9c22753f5a8eec
-
SHA1
2e32247294f43fac2edcdd1d044c70b398e03905
-
SHA256
488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
-
SHA512
4d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts UQD_211116.exe File created C:\Windows\System32\drivers\etc\hosts UQD_211116.exe -
Executes dropped EXE 6 IoCs
Processes:
litrrst.exeksnvpti.exe~ymlsukl.exe~ymlsukl.execjndozq.exe~ymlsukl.exepid process 1960 litrrst.exe 3536 ksnvpti.exe 3480 ~ymlsukl.exe 3256 ~ymlsukl.exe 4660 cjndozq.exe 2740 ~ymlsukl.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exe upx C:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exe upx C:\Users\Admin\AppData\Local\Temp\ksnvpti.exe upx C:\Users\Admin\AppData\Local\Temp\ksnvpti.exe upx C:\Users\Admin\AppData\Local\Temp\cjndozq.exe upx C:\Users\Admin\AppData\Local\Temp\cjndozq.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
UQD_211116.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation UQD_211116.exe -
Drops startup file 1 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini UQD_211116.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 28 IoCs
Processes:
Rundll32.exeUQD_211116.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" Rundll32.exe Key deleted \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCEEX UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce UQD_211116.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx UQD_211116.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
UQD_211116.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini UQD_211116.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini UQD_211116.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
UQD_211116.exedescription ioc process File opened (read-only) \??\a: UQD_211116.exe File opened (read-only) \??\h: UQD_211116.exe File opened (read-only) \??\z: UQD_211116.exe File opened (read-only) \??\r: UQD_211116.exe File opened (read-only) \??\w: UQD_211116.exe File opened (read-only) \??\y: UQD_211116.exe File opened (read-only) \??\l: UQD_211116.exe File opened (read-only) \??\m: UQD_211116.exe File opened (read-only) \??\q: UQD_211116.exe File opened (read-only) \??\p: UQD_211116.exe File opened (read-only) \??\s: UQD_211116.exe File opened (read-only) \??\t: UQD_211116.exe File opened (read-only) \??\u: UQD_211116.exe File opened (read-only) \??\v: UQD_211116.exe File opened (read-only) \??\b: UQD_211116.exe File opened (read-only) \??\f: UQD_211116.exe File opened (read-only) \??\i: UQD_211116.exe File opened (read-only) \??\k: UQD_211116.exe File opened (read-only) \??\n: UQD_211116.exe File opened (read-only) \??\o: UQD_211116.exe File opened (read-only) \??\x: UQD_211116.exe File opened (read-only) \??\e: UQD_211116.exe File opened (read-only) \??\g: UQD_211116.exe File opened (read-only) \??\j: UQD_211116.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 2 IoCs
Processes:
UQD_211116.exedescription ioc process File created C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg UQD_211116.exe File opened for modification C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg UQD_211116.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
runonce.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
Processes:
UQD_211116.exe~ymlsukl.exe~ymlsukl.exe~ymlsukl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\First Home Page = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main UQD_211116.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~ymlsukl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~ymlsukl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN ~ymlsukl.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.136738.com/?30507" UQD_211116.exe -
Modifies Internet Explorer start page 1 TTPs 3 IoCs
Processes:
UQD_211116.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?30507" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.136738.com/?30507" UQD_211116.exe -
Modifies registry class 25 IoCs
Processes:
UQD_211116.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82} UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\ = "Internet Explorer" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\ = "打开主页(&H)" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Open\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\ = "属性(&R)" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\Set\Command\ = "C:\\Windows\\SysWOW64\\rundll32.exe C:\\Windows\\SysWOW64\\shell32.dll,Control_RunDLL C:\\Windows\\SysWOW64\\inetcpl.cpl" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\ieframe.dll,-190" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\ = "在没有加载项的情况下启动" UQD_211116.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5EAD1DB-7C18-4954-8820-01733BC08C82}\shell\NoAddOns\Command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" -extoff" UQD_211116.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings UQD_211116.exe -
Runs ping.exe 1 TTPs 19 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4772 PING.EXE 1588 PING.EXE 4552 PING.EXE 4616 PING.EXE 2160 PING.EXE 3600 PING.EXE 3952 PING.EXE 2216 PING.EXE 4384 PING.EXE 1396 PING.EXE 2652 PING.EXE 1248 PING.EXE 4948 PING.EXE 1816 PING.EXE 4748 PING.EXE 4528 PING.EXE 3968 PING.EXE 724 PING.EXE 540 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
UQD_211116.exeUQD_211116.exepid process 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 5088 UQD_211116.exe 5088 UQD_211116.exe 5088 UQD_211116.exe 5088 UQD_211116.exe 5088 UQD_211116.exe 5088 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
UQD_211116.exepid process 4044 UQD_211116.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
UQD_211116.exeUQD_211116.exelitrrst.exeksnvpti.exe~ymlsukl.exe~ymlsukl.execjndozq.exe~ymlsukl.exedescription pid process Token: SeDebugPrivilege 4044 UQD_211116.exe Token: SeDebugPrivilege 5088 UQD_211116.exe Token: SeDebugPrivilege 1960 litrrst.exe Token: SeDebugPrivilege 3536 ksnvpti.exe Token: SeRestorePrivilege 3536 ksnvpti.exe Token: SeTakeOwnershipPrivilege 3536 ksnvpti.exe Token: SeDebugPrivilege 3536 ksnvpti.exe Token: SeSecurityPrivilege 3536 ksnvpti.exe Token: SeBackupPrivilege 3480 ~ymlsukl.exe Token: SeRestorePrivilege 3480 ~ymlsukl.exe Token: SeTakeOwnershipPrivilege 3480 ~ymlsukl.exe Token: SeBackupPrivilege 3256 ~ymlsukl.exe Token: SeRestorePrivilege 3256 ~ymlsukl.exe Token: SeTakeOwnershipPrivilege 3256 ~ymlsukl.exe Token: SeDebugPrivilege 4660 cjndozq.exe Token: SeRestorePrivilege 4660 cjndozq.exe Token: SeTakeOwnershipPrivilege 4660 cjndozq.exe Token: SeDebugPrivilege 4660 cjndozq.exe Token: SeSecurityPrivilege 4660 cjndozq.exe Token: SeBackupPrivilege 2740 ~ymlsukl.exe Token: SeRestorePrivilege 2740 ~ymlsukl.exe Token: SeTakeOwnershipPrivilege 2740 ~ymlsukl.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
UQD_211116.exepid process 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
UQD_211116.exepid process 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe 4044 UQD_211116.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
UQD_211116.exelitrrst.execmd.exeRundll32.exerunonce.execmd.exedescription pid process target process PID 4044 wrote to memory of 5088 4044 UQD_211116.exe UQD_211116.exe PID 4044 wrote to memory of 5088 4044 UQD_211116.exe UQD_211116.exe PID 4044 wrote to memory of 5088 4044 UQD_211116.exe UQD_211116.exe PID 4044 wrote to memory of 1960 4044 UQD_211116.exe litrrst.exe PID 4044 wrote to memory of 1960 4044 UQD_211116.exe litrrst.exe PID 4044 wrote to memory of 1960 4044 UQD_211116.exe litrrst.exe PID 4044 wrote to memory of 3536 4044 UQD_211116.exe ksnvpti.exe PID 4044 wrote to memory of 3536 4044 UQD_211116.exe ksnvpti.exe PID 4044 wrote to memory of 3536 4044 UQD_211116.exe ksnvpti.exe PID 1960 wrote to memory of 3580 1960 litrrst.exe cmd.exe PID 1960 wrote to memory of 3580 1960 litrrst.exe cmd.exe PID 3580 wrote to memory of 2160 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 2160 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1816 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1816 3580 cmd.exe PING.EXE PID 4044 wrote to memory of 3480 4044 UQD_211116.exe ~ymlsukl.exe PID 4044 wrote to memory of 3480 4044 UQD_211116.exe ~ymlsukl.exe PID 4044 wrote to memory of 3256 4044 UQD_211116.exe ~ymlsukl.exe PID 4044 wrote to memory of 3256 4044 UQD_211116.exe ~ymlsukl.exe PID 3580 wrote to memory of 3600 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 3600 3580 cmd.exe PING.EXE PID 4044 wrote to memory of 4660 4044 UQD_211116.exe cjndozq.exe PID 4044 wrote to memory of 4660 4044 UQD_211116.exe cjndozq.exe PID 4044 wrote to memory of 4660 4044 UQD_211116.exe cjndozq.exe PID 3580 wrote to memory of 4748 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4748 3580 cmd.exe PING.EXE PID 4044 wrote to memory of 2740 4044 UQD_211116.exe ~ymlsukl.exe PID 4044 wrote to memory of 2740 4044 UQD_211116.exe ~ymlsukl.exe PID 3580 wrote to memory of 4528 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4528 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4772 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4772 3580 cmd.exe PING.EXE PID 4044 wrote to memory of 1500 4044 UQD_211116.exe Rundll32.exe PID 4044 wrote to memory of 1500 4044 UQD_211116.exe Rundll32.exe PID 1500 wrote to memory of 3792 1500 Rundll32.exe runonce.exe PID 1500 wrote to memory of 3792 1500 Rundll32.exe runonce.exe PID 3580 wrote to memory of 3968 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 3968 3580 cmd.exe PING.EXE PID 3792 wrote to memory of 4416 3792 runonce.exe grpconv.exe PID 3792 wrote to memory of 4416 3792 runonce.exe grpconv.exe PID 3580 wrote to memory of 3952 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 3952 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1396 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1396 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 724 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 724 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 2652 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 2652 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1588 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1588 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4552 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4552 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 2216 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 2216 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4616 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 4616 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1248 3580 cmd.exe PING.EXE PID 3580 wrote to memory of 1248 3580 cmd.exe PING.EXE PID 4044 wrote to memory of 1984 4044 UQD_211116.exe cmd.exe PID 4044 wrote to memory of 1984 4044 UQD_211116.exe cmd.exe PID 4044 wrote to memory of 2936 4044 UQD_211116.exe cmd.exe PID 4044 wrote to memory of 2936 4044 UQD_211116.exe cmd.exe PID 1984 wrote to memory of 4384 1984 cmd.exe PING.EXE PID 1984 wrote to memory of 4384 1984 cmd.exe PING.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
UQD_211116.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" UQD_211116.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System UQD_211116.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" UQD_211116.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UQD_211116.exe"C:\Users\Admin\AppData\Local\Temp\UQD_211116.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\UQD_211116.exeC:\Users\Admin\AppData\Local\Temp\UQD_211116.exe /nstart2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exeC:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exe /nys2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nIT6RDZ.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\ksnvpti.exeC:\Users\Admin\AppData\Local\Temp\ksnvpti.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeC:\Users\Admin\AppData\Local\Temp\~ymlsukl.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn setowner -ownr "n:Administrators"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeC:\Users\Admin\AppData\Local\Temp\~ymlsukl.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\cjndozq.exeC:\Users\Admin\AppData\Local\Temp\cjndozq.exe /HomeRegAccess102⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeC:\Users\Admin\AppData\Local\Temp\~ymlsukl.exe -on "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN" -ot reg -actn ace -ace "n:Everyone;p:full;i:np;m:set" -rec no2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\Rundll32.exeRundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Users\Admin\AppData\Local\Temp\~wzrybae.inf2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r3⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ImDWecZ.bat2⤵
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ekhSvpy.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ImDWecZ.batFilesize
473B
MD5ba9424dc4564bac18f298c9cc59b51ed
SHA1075b4affd5fb21715c382918cea595869792c9a4
SHA256676499b9817d8560f73da837deef27ac17ec3cc34ae6275582af2d716c0ca2f3
SHA512bf05c8bd3bd688928f3de4350ffae8daa849186dcb5c620f220f49abee36af34e83a2e9ad7c1e9a37e1ea4b9e36003af59ab345fc86c274124843d40bde6e3c5
-
C:\Users\Admin\AppData\Local\Temp\cjndozq.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\cjndozq.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\ekhSvpy.batFilesize
465B
MD50b40ccbff72056b62cba3a2082b3c11a
SHA164872b647cd2f18a3e8312af767d73877e21858d
SHA25604baace262019aaf6937e6d29f31972dccb1dde2a06d28f0110fa174f303e369
SHA5122156bf8bdb6198e430245f86f2ad6c8bd41596881c9e243b3208c528abfff09badd1fb643d1119e9d4f53a55525f4719c19d32da0cd1d3d2d304c825c63db3e2
-
C:\Users\Admin\AppData\Local\Temp\ksnvpti.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\ksnvpti.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\nIT6RDZ.batFilesize
493B
MD538b27c1d31a81e7af7732504b3b6056b
SHA119dc53a3c546c3ef6855e648bdf080244ced745a
SHA25683f926f7eef2fdef15fb57014f3e3897a76034ab1140b035615964bd826be093
SHA51266127297e0ef9fdd259dfbefc87967c63e702179ba02fac88de9e62b4dd4831d207f42441a322dc2d04ab16cb2f427aabc82d735e1d992a6b7240fbfa8ff70d6
-
C:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\rqkvvfj\litrrst.exeFilesize
11.7MB
MD54dadc2245fc209e51d9c22753f5a8eec
SHA12e32247294f43fac2edcdd1d044c70b398e03905
SHA256488bf0c238bc463b44031393d299f8959b277b45ac18a09d82f5d1557223ef70
SHA5124d32dbb195618a4bc0bbeddea954d29ddbc8f1995fe090e54f9a0e41ca2bbc0cfdf8bc9cedb19436e936c59b8de162ed7d41c1537062106b48bf163faf190a14
-
C:\Users\Admin\AppData\Local\Temp\~wzrybae.infFilesize
32B
MD58f5f4837dd4a1680d79bbdca9cc1e08f
SHA1688b5d5ef993733b97b303ed4c8409a14b230de5
SHA2562bce6b9395cc74d16b9c94fd90debd9d524ffb53c6f6ae3a49b6e139671417b2
SHA512bd75b564fe3c93dffdc65fe58463378f54268308ca5eaba5fc7f80458016f331a6596bfdaf63845c1d5c6c60df2a0ec2aff94d2aae7797da4f5f975f0363bd66
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
C:\Users\Admin\AppData\Local\Temp\~ymlsukl.exeFilesize
546KB
MD53e350eb5df15c06dec400a39dd1c6f29
SHA1f1434cfef2c05fda919922b721ec1a17adb3194e
SHA256427ff43693cb3ca2812c4754f607f107a6b2d3f5a8b313addee57d89982df419
SHA512b6b6cdfe2b08aa49254e48302385a3a2a8385e2228bdcffd3032757acf1a1d4abff1270f5488083cfa4480439ff161a9d0ea5f193cabc1eb1e7b1255ce262ab6
-
memory/540-175-0x0000000000000000-mapping.dmp
-
memory/724-162-0x0000000000000000-mapping.dmp
-
memory/1248-168-0x0000000000000000-mapping.dmp
-
memory/1396-161-0x0000000000000000-mapping.dmp
-
memory/1500-155-0x0000000000000000-mapping.dmp
-
memory/1588-164-0x0000000000000000-mapping.dmp
-
memory/1816-140-0x0000000000000000-mapping.dmp
-
memory/1960-131-0x0000000000000000-mapping.dmp
-
memory/1984-169-0x0000000000000000-mapping.dmp
-
memory/2160-139-0x0000000000000000-mapping.dmp
-
memory/2216-166-0x0000000000000000-mapping.dmp
-
memory/2652-163-0x0000000000000000-mapping.dmp
-
memory/2740-151-0x0000000000000000-mapping.dmp
-
memory/2936-170-0x0000000000000000-mapping.dmp
-
memory/3256-144-0x0000000000000000-mapping.dmp
-
memory/3480-141-0x0000000000000000-mapping.dmp
-
memory/3536-134-0x0000000000000000-mapping.dmp
-
memory/3580-137-0x0000000000000000-mapping.dmp
-
memory/3600-146-0x0000000000000000-mapping.dmp
-
memory/3792-157-0x0000000000000000-mapping.dmp
-
memory/3952-160-0x0000000000000000-mapping.dmp
-
memory/3968-158-0x0000000000000000-mapping.dmp
-
memory/4384-172-0x0000000000000000-mapping.dmp
-
memory/4416-159-0x0000000000000000-mapping.dmp
-
memory/4528-153-0x0000000000000000-mapping.dmp
-
memory/4552-165-0x0000000000000000-mapping.dmp
-
memory/4616-167-0x0000000000000000-mapping.dmp
-
memory/4660-147-0x0000000000000000-mapping.dmp
-
memory/4748-150-0x0000000000000000-mapping.dmp
-
memory/4772-154-0x0000000000000000-mapping.dmp
-
memory/4948-174-0x0000000000000000-mapping.dmp
-
memory/5088-130-0x0000000000000000-mapping.dmp