bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe

General

Target

bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Size

103KB
MD5

b1481280f045a2320f182050a997cf70
SHA1

bdd776eadbbe9437bac26e1b8495e59e8f0b15df
SHA256

bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe
SHA512

0c627fa02b468ebbffe4a31e6ae5da50a806ab460fe6c32fb75785f0cf165e4b4a519c8b50c614e7ca56d9fcb1ef671465bf43b6d8329a42cc6ccc862c1abf4a
SSDEEP

1536:U3TJJbyJBDFfBcMCmVE8d425I9lZF2UYIVGXTL29H6TKirhT+KUBPwVAGkqT33:UjJgVB8PZ9lZFpDVGX216H9+y33

Score

9^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000122d0-55.dat	acprotect
behavioral1/files/0x00090000000122d0-61.dat	acprotect
behavioral1/files/0x00090000000122d0-60.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1604	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1144-54-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/files/0x00090000000122d0-55.dat	upx
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/files/0x0007000000005c50-57.dat	upx
behavioral1/files/0x0007000000005c50-59.dat	upx
behavioral1/memory/1144-62-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-63.dat	upx
behavioral1/files/0x00090000000122d0-61.dat	upx
behavioral1/files/0x00090000000122d0-60.dat	upx
behavioral1/memory/1604-65-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/1604-67-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
1604	svchost.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\F:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\M:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\O:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\T:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\E:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\K:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\L:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\S:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\Q:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\R:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\V:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\G:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\H:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\I:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\N:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\J:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened (read-only)	\??\P:	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GQCZ.dll	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
File opened for modification	C:\Windows\SysWOW64\GQCZ.dll	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\svchost.exe	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ = "Maihook1007"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\Clsid	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\Clsid\ = "{36429484-6478-41B2-A32B-FD0B4BBF04B2}"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID\ = "GQCZ.ShellExecuteHook1007"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV\DFile = "054036165053037177091167048045102123188065203125040201124009007164006095225127013054087179207048252176240136245112091186213"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\Clsid\ = "{36429484-6478-41B2-A32B-FD0B4BBF04B2}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ = "Maihook1007"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\GQCZ.dll"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\Clsid	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile1007PV\EFile = "053036176052044071100189048044103114096065034127077110072209025050150210100087080088168082198102102014232069097251093001050"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ThreadingModel = "Apartment"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\ = "Maihook1007"	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\InprocServer32\ = "C:\\Windows\\SysWow64\\GQCZ.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GQCZ.ShellExecuteHook1007\ = "Maihook1007"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36429484-6478-41B2-A32B-FD0B4BBF04B2}\ProgID\ = "GQCZ.ShellExecuteHook1007"	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1604	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 1604	1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe	27
PID 1144 wrote to memory of 1604	1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe	27
PID 1144 wrote to memory of 1604	1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe	27
PID 1144 wrote to memory of 1604	1144	bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe	27

C:\Users\Admin\AppData\Local\Temp\bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe
"C:\Users\Admin\AppData\Local\Temp\bdb6672d339d6fc19af420865d8731a183c082f03b77b7b33811ffbf5d7b09fe.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files\svchost.exe
  "C:\Program Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\svchost.exe

Filesize
103KB

MD5
2bce91627f4b21f73852729cf5cbab30

SHA1
f72d3ee22b1db834f1c5c166518d841a198d0ecd

SHA256
bd42db8466e89fe1adb9236a2644196d6aa41f48e46857f67e48f684fdf76d95

SHA512
b263d7561489f5df88717b0f13efa687e25d46025f8a387e5a97f98771ef4809e5f055ad34d08d723c4fc2cf159d6d95a708987ccf3ef8432cce0214a71bed8c

Download Submit
C:\Program Files\svchost.exe

Filesize
103KB

MD5
2bce91627f4b21f73852729cf5cbab30

SHA1
f72d3ee22b1db834f1c5c166518d841a198d0ecd

SHA256
bd42db8466e89fe1adb9236a2644196d6aa41f48e46857f67e48f684fdf76d95

SHA512
b263d7561489f5df88717b0f13efa687e25d46025f8a387e5a97f98771ef4809e5f055ad34d08d723c4fc2cf159d6d95a708987ccf3ef8432cce0214a71bed8c

Download Submit
C:\Windows\SysWOW64\GQCZ.dll

Filesize
150KB

MD5
018f4c326f6de04e824ccdad8bee8f51

SHA1
cf2d330ff2863af8dee4f17c184b71072a0f1302

SHA256
cdf7c071cd1e571c43c5cc29ceb596f2d9281c62d364e4820815a04bb2c736d9

SHA512
b91505789ff2a93cdb5f905a202e83505210d2dcea9a0358ba458a3bb22722e6274c1d9a2aae49d3d50711a7f24f8bdd1e67964ff238ec01125290a83e6e95db

Download Submit
\Program Files\svchost.exe

Filesize
103KB

MD5
2bce91627f4b21f73852729cf5cbab30

SHA1
f72d3ee22b1db834f1c5c166518d841a198d0ecd

SHA256
bd42db8466e89fe1adb9236a2644196d6aa41f48e46857f67e48f684fdf76d95

SHA512
b263d7561489f5df88717b0f13efa687e25d46025f8a387e5a97f98771ef4809e5f055ad34d08d723c4fc2cf159d6d95a708987ccf3ef8432cce0214a71bed8c

Download Submit
\Program Files\svchost.exe

Filesize
103KB

MD5
2bce91627f4b21f73852729cf5cbab30

SHA1
f72d3ee22b1db834f1c5c166518d841a198d0ecd

SHA256
bd42db8466e89fe1adb9236a2644196d6aa41f48e46857f67e48f684fdf76d95

SHA512
b263d7561489f5df88717b0f13efa687e25d46025f8a387e5a97f98771ef4809e5f055ad34d08d723c4fc2cf159d6d95a708987ccf3ef8432cce0214a71bed8c

Download Submit
\Windows\SysWOW64\GQCZ.dll

Filesize
150KB

MD5
018f4c326f6de04e824ccdad8bee8f51

SHA1
cf2d330ff2863af8dee4f17c184b71072a0f1302

SHA256
cdf7c071cd1e571c43c5cc29ceb596f2d9281c62d364e4820815a04bb2c736d9

SHA512
b91505789ff2a93cdb5f905a202e83505210d2dcea9a0358ba458a3bb22722e6274c1d9a2aae49d3d50711a7f24f8bdd1e67964ff238ec01125290a83e6e95db

Download Submit
\Windows\SysWOW64\GQCZ.dll

Filesize
150KB

MD5
018f4c326f6de04e824ccdad8bee8f51

SHA1
cf2d330ff2863af8dee4f17c184b71072a0f1302

SHA256
cdf7c071cd1e571c43c5cc29ceb596f2d9281c62d364e4820815a04bb2c736d9

SHA512
b91505789ff2a93cdb5f905a202e83505210d2dcea9a0358ba458a3bb22722e6274c1d9a2aae49d3d50711a7f24f8bdd1e67964ff238ec01125290a83e6e95db

Download Submit
memory/1144-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1144-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-64-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1604-65-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1604-66-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1604-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing