b10baca20de629d9b4f7d46bb83305075d23e7582e1fe85e974d281b989fe126

Analysis

max time kernel
66s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 03:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab13d831d2de24364b15ba1daf312d03.exe
Size

4.3MB
MD5

ab13d831d2de24364b15ba1daf312d03
SHA1

e515d13e97fc9b909a2ea09e8bd70a254c78dc68
SHA256

b10baca20de629d9b4f7d46bb83305075d23e7582e1fe85e974d281b989fe126
SHA512

d85903f07b8a38b6c391ecd7f3b6a3e5137f294f17cb34b30daf00a5b342bb128b3ffb54200998902d899d0de50dd0204b9d21b32fb7527c1c92c52f0daf4c67
SSDEEP

98304:yKwfGDmPMU7CA10L8J5Lsu5RHqzG9NyksdjEDYNplCI:yJAmPMUeAN5LT5RMGKksdj2CCI

Score

8^/10

discovery vmprotect

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\isoviewp64.sys	qzInstall.exe
File created	C:\Windows\System32\drivers\isoviewp64.sys	qzInstall.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	setup.exe
4328	qzInstall.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0008000000022e15-147.dat	vmprotect
behavioral2/memory/4328-165-0x0000000000D80000-0x0000000000DFB000-memory.dmp	vmprotect
behavioral2/files/0x0006000000022e37-164.dat	vmprotect
behavioral2/files/0x0006000000022e37-163.dat	vmprotect
behavioral2/memory/4328-174-0x0000000000D80000-0x0000000000DFB000-memory.dmp	vmprotect
behavioral2/files/0x0007000000022e18-146.dat	vmprotect
behavioral2/files/0x0007000000022e14-144.dat	vmprotect
behavioral2/files/0x000a000000022dff-141.dat	vmprotect
behavioral2/files/0x0009000000022dfe-140.dat	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ab13d831d2de24364b15ba1daf312d03.exe

Loads dropped DLL 2 IoCs

pid	Process
4328	qzInstall.exe
4328	qzInstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4328	qzInstall.exe

Drops file in Program Files directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\QuickZip\qzbase.dll	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnClose.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\IsoMgr.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\isoviewp64.sys	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnBrowse.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\Step2.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\config.ini	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\Btn.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnInst.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnReturn.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Uninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\QuickZipUI.exe	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnClose.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnUninst.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\compress.ico	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnRun.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\Step4.bmp	setup.exe
File created	C:\Program Files (x86)\QuickZip\isoviewp.sys	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnReturn.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnUninst.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Setup.ini	setup.exe
File created	C:\Program Files (x86)\QuickZip\qzbase.dll	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Uninstall.ini	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Uninstall.exe	setup.exe
File created	C:\Program Files (x86)\QuickZip\product	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\Btn.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnBrowse.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\Step3.bmp	setup.exe
File created	C:\Program Files (x86)\QuickZip\Setup.exe	setup.exe
File created	C:\Program Files (x86)\QuickZip\Setup.ini	setup.exe
File created	C:\Program Files (x86)\QuickZip\isoviewp64.sys	setup.exe
File created	C:\Program Files (x86)\QuickZip\QuickZipUI.exe	setup.exe
File created	C:\Program Files (x86)\QuickZip\qzUpdate.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnRun.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\MsgBox.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\Step4.bmp	setup.exe
File created	C:\Program Files (x86)\QuickZip\7z.dll	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\Step1.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\7z.dll	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\compress.ico	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\product	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnInst.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\Step2.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\config.ini	qzInstall.exe
File created	C:\Program Files (x86)\QuickZip\config.ini	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\isoviewp.sys	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\BtnCustom.png	setup.exe
File created	C:\Program Files (x86)\QuickZip\qzInstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\Step1.bmp	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\Step3.bmp	setup.exe
File created	C:\Program Files (x86)\QuickZip\Uninstall.ini	setup.exe
File created	C:\Program Files (x86)\QuickZip\IsoMgr.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\qzInstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\qzUpdate.exe	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Resource\BtnCustom.png	setup.exe
File opened for modification	C:\Program Files (x86)\QuickZip\Setup.exe	setup.exe
File created	C:\Program Files (x86)\QuickZip\Resource\MsgBox.bmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\DefaultIcon\ = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\NAuto	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\NAuto\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\DefaultIcon\ = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\menu\ = "Ê¹ÓÃ±ã½ÝÑ¹Ëõ´ò¿ª"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\ = "tarÎÄ¼þ"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\menu\command	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\compress_xr\ = "Ìí¼Óµ½Ñ¹ËõÎÄ¼þ"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\menu	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\menu\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\menu\command	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\menu\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\NAuto\ = "½âÑ¹µ½µ±Ç°Ä¿Â¼"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "zip_xr"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\menu\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\""	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\DefaultIcon	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\NAuto\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\" -auto"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\NAuto\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\NAuto\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\NAuto\command	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr\DefaultIcon\ = "C:\\Program Files (x86)\\QuickZip\\IsoMgr.exe"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\menu	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "tar_xr"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\DefaultIcon	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr\ = "isoÎÄ¼þ"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr\shell	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\DefaultIcon	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\NAuto\command	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\menu\command	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\ = "rarÎÄ¼þ"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\menu\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\""	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\NAuto\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\menu\ = "Ê¹ÓÃ±ã½ÝÑ¹Ëõ´ò¿ª"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\menu\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\NAuto	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\NAuto\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\" -auto"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr\shell\menu\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\""	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\shell\menu\command	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\menu\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\""	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tar_xr	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso\ = "iso_xr"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr\shell\menu	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\compress_xr	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr\DefaultIcon\ = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr\shell\NAuto\command\ = "C:\\Program Files (x86)\\QuickZip\\QuickZipUI.exe \"%1\" -auto"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\NAuto\command	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\zip_xr	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rar_xr	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\menu\ = "Ê¹ÓÃ±ã½ÝÑ¹Ëõ´ò¿ª"	qzInstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\shell\menu\Icon = "C:\\Program Files (x86)\\QuickZip\\compress.ico"	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7z_xr\DefaultIcon	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iso	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iso_xr\shell\menu\command	qzInstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\compress_xr\command	qzInstall.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B	qzInstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D8C7019BD363CEA27D25594A5517BD6A5225E04B\Blob = 030000000100000014000000d8c7019bd363cea27d25594a5517bd6a5225e04b2000000001000000d6030000308203d2308202baa003020102020100300d06092a864886f70d0101050500308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e301e170d3038303732353033313432315a170d3238303732303033313432315a308180310b3009060355040613025553312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303038204341311f301d06035504081316566572695369676e205472757374204e6574776f726b3120301e060355040b1317286329203230303820566572695369676e2c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100d29becc60b5391e3db6292a31b911ac3f3dbd1895bf1dde238ef7f89d5d366f8c099b973878a9a2548e9eefb25b417328629943feec5fcb3cb4568d6ce8966fdba88576e82ec41f5beb8f9e5db2e5fda9fae0b829116c6f052d2bffcab79d5ca7979ed758fbed8d68689f3d84bfdcc3d964b024391a2e544cbd8ef8772d44a72034c4e36290b9ea46b036448c52e4f4b2dd0fc722eae20a4957af2b2b5bc865d139bb6bd98622c6cb51fc453db26afd6fb1caf3c03483e17f04e2f471b7ccba2c1e5bff9bfe9c6986ba2d5501c35c69342bfbd75e8b0a1a6e4df5d87b55814a51fcfc88ec2737f6ce128270b4f50822255473fea1871d69e30edd9f8c37d82a10203010001a3553053300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604148077abe4ae125c8c9ea2e1b390a509944e3b5105301106096086480186f8420101040403020204300d06092a864886f70d010105050003820101003c95b3597084897b3dcdbeac0aa1b682d2329fc1b0cf8c613f18b1b436b65d97bf746668bf070d5aa1c38910004c85fab1fb569bbfeb64a5b58f7fe5cc9cdebca2505d5fae1508d2109c193c9bfe4c65e36703f2da8f4a606b7dd5edb9162e202df27104c52e7f3dccf23cb64aa9ffe537fa06273ebfe210825eb8dfbcf9f02cae323600d8d0dadc0f7022775ea019bf7139f9ce915d344ebf5e4cde507ae8147a1717ab2d7bc5e76d23fc76741bcaae03f69d0960ed77e754217fd5699dbe295eafb9f8774023d0aca0ee219141c68047558277e6418e2aa61043dfaececfc5fc80f746ea90d8cbb249147769ab656b36bb20bc6a62473e1376f3bdf21d6140	qzInstall.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2628	setup.exe
2628	setup.exe
2628	setup.exe
2628	setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	setup.exe
Token: SeDebugPrivilege	2628	setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2628	setup.exe
2628	setup.exe
4328	qzInstall.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2628	2252	ab13d831d2de24364b15ba1daf312d03.exe	82
PID 2252 wrote to memory of 2628	2252	ab13d831d2de24364b15ba1daf312d03.exe	82
PID 2252 wrote to memory of 2628	2252	ab13d831d2de24364b15ba1daf312d03.exe	82
PID 2628 wrote to memory of 4328	2628	setup.exe	84
PID 2628 wrote to memory of 4328	2628	setup.exe	84
PID 2628 wrote to memory of 4328	2628	setup.exe	84

C:\Users\Admin\AppData\Local\Temp\ab13d831d2de24364b15ba1daf312d03.exe
"C:\Users\Admin\AppData\Local\Temp\ab13d831d2de24364b15ba1daf312d03.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Program Files (x86)\QuickZip\qzInstall.exe
    "C:\Program Files (x86)\QuickZip\qzInstall.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Modifies registry class
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\QuickZip\7z.dll

Filesize
1.4MB

MD5
c8d619a0004240b2ab1577f5887e1f0b

SHA1
3208a61e991c1633bfb76799d045b6fcff6a79f9

SHA256
c115bebd73c4ee7f252855988468957776d6568cd1dff07e145f5e919fbc507b

SHA512
303a666f449a22d22c487e1b1c1c62f2cf025d38f02a31b6368548853986e7321d5c063bac0ff1e872b1ad2fa31fe814f80c706a70c5024e9f3f1518469dc4d5

Download Submit
C:\Program Files (x86)\QuickZip\7z.dll

Filesize
1.4MB

MD5
c8d619a0004240b2ab1577f5887e1f0b

SHA1
3208a61e991c1633bfb76799d045b6fcff6a79f9

SHA256
c115bebd73c4ee7f252855988468957776d6568cd1dff07e145f5e919fbc507b

SHA512
303a666f449a22d22c487e1b1c1c62f2cf025d38f02a31b6368548853986e7321d5c063bac0ff1e872b1ad2fa31fe814f80c706a70c5024e9f3f1518469dc4d5

Download Submit
C:\Program Files (x86)\QuickZip\config.ini

Filesize
38B

MD5
d1e0cc99b686c6d414d71051f708a445

SHA1
02e739297c52e36355923f18b0b1cfb69b68270f

SHA256
07e73d8a6feaaf855ad40ca913eefe2c2e8125f3b36e9096553502fe98c05fec

SHA512
72cb2889ffb9758e3eb5e0c63b845aac0720dd60c92985bfb353d1cbe4fc4f43cf1cb7847916a0af130c2e6008fc4ce587580b9177e3e35da4bf48610292fb5d

Download Submit
C:\Program Files (x86)\QuickZip\isoviewp64.sys

Filesize
381KB

MD5
e23d042282b60b817a3fc6777d6337ac

SHA1
bbe438e16708cddda2a5a74b13d21f17029bfd20

SHA256
88e142ea76041f76140def0d8633f90136faa6ec0edad4247ce707d6e9099df0

SHA512
5493abb027725d546526d70292171beb8a9de8dc952f78c0fa63170d662d3ca22396097f8522384d2e6342fc3800e372c803533b3178c67fe14d73e995d049a1

Download Submit
C:\Program Files (x86)\QuickZip\product

Filesize
140B

MD5
bd3e5c3d75dde52d9f5a158090e3e99e

SHA1
9ce32f07ad829373cc92a5997e4639d4b3075fb4

SHA256
dd179fabc3779fa6718c425db56ff6de88fc876c67d6c8304ecb55cd436ac32c

SHA512
8efd901d295d09774bccff645703c60f0fe07c569964bb8732565d90ebd2a30ec972305d4937918d41087a210683c5860efd5156cca67560cc145204aca655f5

Download Submit
C:\Program Files (x86)\QuickZip\qzInstall.exe

Filesize
229KB

MD5
1dcd4fd069f2bda813b198ef32227e36

SHA1
b694de2a38ba9a779be2f4ae93337fe1ae1b94f5

SHA256
01d93569ddefedf71d41bc49d323599790d4ebc349c43128b75c3099ff237211

SHA512
e11198ce9a1acb44716cb76935783dcd43059282f9c96ac02489cb74fb99ccadefd01ba8d4f815fb83d5b2cc1df8ab8d061fec9bf40df02aabe1265457dd0477

Download Submit
C:\Program Files (x86)\QuickZip\qzInstall.exe

Filesize
229KB

MD5
1dcd4fd069f2bda813b198ef32227e36

SHA1
b694de2a38ba9a779be2f4ae93337fe1ae1b94f5

SHA256
01d93569ddefedf71d41bc49d323599790d4ebc349c43128b75c3099ff237211

SHA512
e11198ce9a1acb44716cb76935783dcd43059282f9c96ac02489cb74fb99ccadefd01ba8d4f815fb83d5b2cc1df8ab8d061fec9bf40df02aabe1265457dd0477

Download Submit
C:\Program Files (x86)\QuickZip\qzbase.dll

Filesize
510KB

MD5
b51e33df5a462e07c8611dd9c86bb9a5

SHA1
04440965e86c3f7653373954a8002a5863e9ba6e

SHA256
55829b527f069b03ec65c21e6d643ea37c079a46edcdec6dfeb4d556d6f2c00e

SHA512
0506c0ade89f9de8fc63eda31ea3b29c21eec8683fb01397aed93825ceaf617e87eba95af0116aeb938b5ef31af8d22554a0ee8444086bc7a7cf81af833b7f2d

Download Submit
C:\Program Files (x86)\QuickZip\qzbase.dll

Filesize
510KB

MD5
b51e33df5a462e07c8611dd9c86bb9a5

SHA1
04440965e86c3f7653373954a8002a5863e9ba6e

SHA256
55829b527f069b03ec65c21e6d643ea37c079a46edcdec6dfeb4d556d6f2c00e

SHA512
0506c0ade89f9de8fc63eda31ea3b29c21eec8683fb01397aed93825ceaf617e87eba95af0116aeb938b5ef31af8d22554a0ee8444086bc7a7cf81af833b7f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\7z.dll

Filesize
1.4MB

MD5
c8d619a0004240b2ab1577f5887e1f0b

SHA1
3208a61e991c1633bfb76799d045b6fcff6a79f9

SHA256
c115bebd73c4ee7f252855988468957776d6568cd1dff07e145f5e919fbc507b

SHA512
303a666f449a22d22c487e1b1c1c62f2cf025d38f02a31b6368548853986e7321d5c063bac0ff1e872b1ad2fa31fe814f80c706a70c5024e9f3f1518469dc4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\IsoMgr.exe

Filesize
713KB

MD5
1262548a5a310ce03652252650dadea1

SHA1
b301235cc96d0a70f55f9aa1051eb10c23797bc8

SHA256
7cfbcf3648fbe0110b035f976d3318797cbff28d13090d21ad3efd142220cdfc

SHA512
ab72d18c78fad520c4dfc286671983048ce10645afbe2c94ea6a4ca7a9c0f9315e23abd226d509b9642a07dbb379642c71d11e2a0d9b5a3e1f24b6ea4a8efd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\QuickZipUI.exe

Filesize
881KB

MD5
ef8c2a8c25835a41d5cc1e881dbb699e

SHA1
880085d3daf6f8a0f5969110680c402d1a8817b4

SHA256
51871d0e04b3a9597885c54cd765e8931a84e74d61f6da183a0f044db08499b8

SHA512
c6d2a83829b0c763cdd46f2d28c662c1a73fe268274c03735b83accf9aa62ca8bb666f7a261b3ff4ad27a3a71f2adbf479feeb278d9a5bbed17debb94830273e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\Btn.png

Filesize
3KB

MD5
31107bf3fbd928c942a3b99b613a698b

SHA1
1a0ce21cff0628e581e91df25dec77598795ad70

SHA256
97ba5810a05207d92f8deda72c289b3dcf6c261ed83636eeacbfe59186ee0450

SHA512
ecd8770ec69b8da2198b24afbdd2e50f521a4608ca68e70879cd8021fec9d9df2db2429ea4f4d842ceb9eb8562ea998a64e52e8a4d02c91e0b6604944485bd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnBrowse.png

Filesize
4KB

MD5
58f7b67fd35614c67d0293496de9b066

SHA1
87857eb792adfef4f576437575e33d1099748e97

SHA256
a4529cf237c7d9554520b0d66b70b0236fadc922ab95c3919d7a3872a5f3eb53

SHA512
6b5936df195f3366db2667773f9ff5f668efd9a8e12bd4153d007593f04a7a9e2d34fa3288c4afdd7971868cc1575f1902e852064c99bfcf9584a0f08517a39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnClose.png

Filesize
2KB

MD5
bb9af21825c6c494e38bc16167ad7484

SHA1
65c85c5be8c4be1e684ccf2ada56904e3be96e3f

SHA256
89e36052db62cf3fb6ebc62f79ef4ce7c04bd0e38b076b5e3d7f95c0f77deac8

SHA512
f3cde037c3dac22c194e109cf458e1338ebe5ae5519b22f57c70e5f96eefd62af1a5825f2fd37952e4523288a4d7ca90fee75fea1309594c8342ca9501a77a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnCustom.png

Filesize
4KB

MD5
cf689e748b0070e2e53e10f73bbebe43

SHA1
d15da73ed7216c33cb65fe06d441f6fed7eabd43

SHA256
c2fb1b090543aaa86b26adbc84c4f868cebb17ab605ad22bdcf2ffd6baa17018

SHA512
5fe24d0e4449546de4438949d1ff42812b83b621e67fed0289ac459e552e807e3f986b85fcc54099372cfd672cc4e9fba8f986e1a7bce21e6023250459544553

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnInst.png

Filesize
9KB

MD5
17c4c4e29722a4cc6b5378ceeeabcc11

SHA1
f76722628c539b34a4c2db9ab8be5d5646d4f3bd

SHA256
d76e363dd92014f23bbd177ef5df67f2fea437f0242e96a5256429fd136b2fb5

SHA512
3ed3cd9a21f50488be9bb0e83cf11e91d1b89bd5bce0eb948c603a81b6335003ca9d188de4a4e40eb9ca164933a449910e12f59d4febb5352806803191d2c77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnReturn.png

Filesize
3KB

MD5
da2fd4102e22a1b942c3283e4a18e25b

SHA1
e5857f6a5dbde5fe0f95f05e9faf4559554271c5

SHA256
988230f69fe2fa9797fd00df43c2e8ecd7302b3c4b08ff584cb89f5ef0b22f00

SHA512
2f30333031e0e563c7e1c641c69d2d32b06dc74d01a3c29d31079774335a7d1f2867e56ed248cb8a55dcf3131aa3d4ad92b24afe0832e35c3eab6a7b85162d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnRun.png

Filesize
8KB

MD5
4aec256cdf876657c3a864bad289a62c

SHA1
061a0fafc129f4ae6681bd7ee8e6987f36e7097b

SHA256
49d81f2a2d1886a92dd808238fee110d09cfe0aaaa96a3e2046c3618619fca91

SHA512
de621ca700b87f928d3697d0ff94a05847ee9e8e464ccfb8d96274d9aed203850aa2e5a03c93ded71bc4df4d9459075b4ee7e9f64f471ac2e5eecb9a293cf833

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\BtnUninst.png

Filesize
7KB

MD5
95eca3ae7245075d2453f5cfc40c3e88

SHA1
021da25b47aa697efded2206da607a23da5a3eef

SHA256
a2537fee790d25a07dd30132c012299b7e2b141b4a75970b74d26888d8585b68

SHA512
779dc9168886b2d21c2f2f15ea4cf56ab4d14a913d318e6a20091a6f8e70669fa033645eea42b1cccc45373a174a6501f46f856f7782d17f3f4d36f7c923770d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\MsgBox.bmp

Filesize
290KB

MD5
0b1f6f88841008ff7a3b663014c94816

SHA1
a6ca178ba0746b2646873122ba7a5f6daa2f0984

SHA256
b9a590936472cc8abec7003772dc9d99c435c289ecba7535fa3305fbf059c425

SHA512
cf63e39b32f5a06b74dfa0b807a7c661cde3dc2eb525d229514ab8182f7e921c0b92715118b50fd2310dd046ed99e3b0563e274bbbf8072e925a6c56677aa145

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\Step1.bmp

Filesize
617KB

MD5
85d560e6d040c397b58aa13d79cc855b

SHA1
714e5def7839a3d68c0de75942dbf2048410dde9

SHA256
37144cde99eda95276657524722d3626e16f4d035a312c952a02e592b90c990f

SHA512
c6f7af0e811e61c35ea99c8f91f00419e7cb3c00faf488f06abbf6df82c2d2f4e8462b7b98876646dd6bf63db610f1233f68593f328771995d1ef5070a895ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\Step2.bmp

Filesize
617KB

MD5
490de99d28bea200e2b642e446b5f25a

SHA1
6ef1799fa1c9e2209df4ddf95a419dd932a6466e

SHA256
e7a346b2769e7a3fc220d3021b19d980c7e17e4098da3546c3e1824a1468aafa

SHA512
7fc7272bebeea8b89f20af225121433cbb43b403989ffb22aa975155b33d4fba6db83b6fd700df3d6d0514ecf0b494c848efe58325d68a251aa11a14bc92764d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\Step3.bmp

Filesize
617KB

MD5
90f3a47083b7fa16987e969dbc88560f

SHA1
2652378ec8a792061af184ced522049d616788ee

SHA256
12aa649dd2417344fb50bf6df0cd0af684bc0ad595f8e975808eadec23ae3aab

SHA512
1d68bebe3b78b3174733108e577b25e4929fe3c6b5601f64e40b1a8e4148a1294c68ad44464a4b11da3eb651c6ea7dbd90f470ef4177b2c4c1c82cefb53d956c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resource\Step4.bmp

Filesize
617KB

MD5
22f14fb12fb4ad4c54de9b3dba9ddfaa

SHA1
d44cc038e3d08c9f208076dc587454fd3429600f

SHA256
9d986ae5d3dbdb77641fc2bd53b99035b8a9c9263fb44bc39ba48881bb0e159a

SHA512
45e0e03b6fe81ad7f0bb14fa62f344e5841b4c30d56e7eb17878e7c74b4009501e13af122698d9b533f12765cd03d95e577aa77d5bd1fb7819b0dab5fc984d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
84KB

MD5
34bc90745526f66eeb71baf9ce9c7a7f

SHA1
b7ece80b6d70cadb18f0c90eb2642cd4e7a7c679

SHA256
bbf4902a3849afce5148b97611036614fc364b99600109947a28841cb416b4d3

SHA512
dc92317347976ac444f551bfb10972eb6542ea0e7d51fec651a190c682a4333ddcb990f713215e0413e871087f9089ff72f196128adee9d245189f75c823572b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uninstall.exe

Filesize
64KB

MD5
04ce3ec275412647d08a843c51f86235

SHA1
ab782fb6dbde52605846698384bfd0de427cb7f3

SHA256
04b96fcdcccc62a42bb6b3454b0eb8e30e4da55288569620ee0faa7380c9ef9c

SHA512
50806a8f7b1840eef52d67c2cf70ccbc2bada74796d9fbfce00102034eee6486b5100405874940d2d3de63e61e504454d8a47720cc350576bdb3be3d3d359695

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uninstall.ini

Filesize
952B

MD5
6399c0b1d3ab36ef3dbc6347450adf29

SHA1
d93837cc81a2782e46d2492af0f2303ab67c2826

SHA256
cf0c34e4b152ed118a91703b658f4975a2d2bfec6d25512e3a726003ff1fd897

SHA512
f6dd627b555a832cc16676492d26a56d318b3cbf28aa2c32936528ee3edc903c08651c50ef51a6179ed8ed084d64898e1b753840904f5ac9e5a72c1c03d2c727

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\compress.ico

Filesize
54KB

MD5
8585c06ce6eecf20d409eeb435bd16fa

SHA1
7d442f56f25d39e72dc64d7a7530da36bfad49d8

SHA256
4a61102d3462830c864db6a822c14821b7a0960c30242bf20ea111ff28bfe180

SHA512
c709b3f4afd691d36bbafcbece46ba685a02499199899eb01df3c15b834dd630086d9b9aeb70eb71642caf0c6a0d16f7302b8ce4ee369586d990d4ed851d2d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.ini

Filesize
38B

MD5
d1e0cc99b686c6d414d71051f708a445

SHA1
02e739297c52e36355923f18b0b1cfb69b68270f

SHA256
07e73d8a6feaaf855ad40ca913eefe2c2e8125f3b36e9096553502fe98c05fec

SHA512
72cb2889ffb9758e3eb5e0c63b845aac0720dd60c92985bfb353d1cbe4fc4f43cf1cb7847916a0af130c2e6008fc4ce587580b9177e3e35da4bf48610292fb5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\isoviewp.sys

Filesize
101KB

MD5
b7ba9e1bc577debbef3466fc864e1a4e

SHA1
a33f48f1e6d8ae32295d8b1e21fc901fd177b2f9

SHA256
19bd577b149d3e98f420de2f72e52f92c420e6f4c18e27de52fcd338fd0cd166

SHA512
9821473d5260457d5ab0f492b343297e4a0d2c50a31c998ec9465f2ed03cfb421f8701aa2943e104283c98f019eaa04fe025ef6facf23002099f4956da2be044

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\isoviewp64.sys

Filesize
381KB

MD5
e23d042282b60b817a3fc6777d6337ac

SHA1
bbe438e16708cddda2a5a74b13d21f17029bfd20

SHA256
88e142ea76041f76140def0d8633f90136faa6ec0edad4247ce707d6e9099df0

SHA512
5493abb027725d546526d70292171beb8a9de8dc952f78c0fa63170d662d3ca22396097f8522384d2e6342fc3800e372c803533b3178c67fe14d73e995d049a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\product

Filesize
140B

MD5
bd3e5c3d75dde52d9f5a158090e3e99e

SHA1
9ce32f07ad829373cc92a5997e4639d4b3075fb4

SHA256
dd179fabc3779fa6718c425db56ff6de88fc876c67d6c8304ecb55cd436ac32c

SHA512
8efd901d295d09774bccff645703c60f0fe07c569964bb8732565d90ebd2a30ec972305d4937918d41087a210683c5860efd5156cca67560cc145204aca655f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qzInstall.exe

Filesize
229KB

MD5
1dcd4fd069f2bda813b198ef32227e36

SHA1
b694de2a38ba9a779be2f4ae93337fe1ae1b94f5

SHA256
01d93569ddefedf71d41bc49d323599790d4ebc349c43128b75c3099ff237211

SHA512
e11198ce9a1acb44716cb76935783dcd43059282f9c96ac02489cb74fb99ccadefd01ba8d4f815fb83d5b2cc1df8ab8d061fec9bf40df02aabe1265457dd0477

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qzUpdate.exe

Filesize
477KB

MD5
84a61946577170f4759404bf11aea85f

SHA1
d0aad567c09d87345ec241edcb2d29b1d82dfe97

SHA256
2c7c6653483ff81eff4e89665b6757458bf104f55c294b84cfa806453da61270

SHA512
957457dfd3f47a4b10936905b4456b8bcd56dc21e3555130f1e70e1299f62ad646f4f896b1e2b7e1224c859c27522a45be7f46416e9c7ce8b4fe6fc000187ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qzbase.dll

Filesize
510KB

MD5
b51e33df5a462e07c8611dd9c86bb9a5

SHA1
04440965e86c3f7653373954a8002a5863e9ba6e

SHA256
55829b527f069b03ec65c21e6d643ea37c079a46edcdec6dfeb4d556d6f2c00e

SHA512
0506c0ade89f9de8fc63eda31ea3b29c21eec8683fb01397aed93825ceaf617e87eba95af0116aeb938b5ef31af8d22554a0ee8444086bc7a7cf81af833b7f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.INI

Filesize
6KB

MD5
b82640bf08d432aa76bb52e6d1c8f14d

SHA1
c2fa0890ce57ee4af219fb49a05dfb23a26ef3ae

SHA256
6887d94083031f67d23329d8370d9dfa5e70b3122c763200e2523fbee2eedc7f

SHA512
9b62d930a6dc863f3171a100dc3c1648e8dbe7b7ebcb959c5da074599ec20a230ac74e89e34d58d2faa06beaaeb16c46534773917fd3f559c129c5f7f9f0e4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Filesize
84KB

MD5
34bc90745526f66eeb71baf9ce9c7a7f

SHA1
b7ece80b6d70cadb18f0c90eb2642cd4e7a7c679

SHA256
bbf4902a3849afce5148b97611036614fc364b99600109947a28841cb416b4d3

SHA512
dc92317347976ac444f551bfb10972eb6542ea0e7d51fec651a190c682a4333ddcb990f713215e0413e871087f9089ff72f196128adee9d245189f75c823572b

Download Submit
memory/4328-174-0x0000000000D80000-0x0000000000DFB000-memory.dmp

Filesize
492KB

Download
memory/4328-165-0x0000000000D80000-0x0000000000DFB000-memory.dmp

Filesize
492KB

Download