7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0

Analysis

max time kernel
7s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
Size

61KB
MD5

0cd3ad42e245df6e349e69135630cad6
SHA1

a2b3ada0e01dc60af5929429dcb73d4a4ac6a401
SHA256

7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0
SHA512

3b22e46e4843859ff5841a3ceaccef84ab9d1d1dc7d8add962b84e77f34104cdd33f717c607b46b467b0cec114b118532d6440ae66050e767b5ecbc60c8ad955
SSDEEP

1536:P1P001j6aYzkToNGFu4rzu8b2TJeUgs5wpyanjg:d809JYeoWu4v6TbUtjg

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\qvbioo.sys	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe

Sets DLL path for service in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tcqezb\Parameters\ServiceDll = "%SystemRoot%\\System32\\qvbioo.dll"	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\tcqezb\Parameters\ServiceDll = "%SystemRoot%\\System32\\qvbioo.dll"	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\tcqezb\Parameters\ServiceDll = "%SystemRoot%\\System32\\qvbioo.dll"	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe

Loads dropped DLL 2 IoCs

pid	Process
4492	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
5056	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\00052e2b.inf	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
File created	C:\Windows\SysWOW64\qvbioo.dll	7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5056	svchost.exe
5056	svchost.exe
5056	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe
"C:\Users\Admin\AppData\Local\Temp\7b370fc41f2c24e210907c07b080ee7e692e1047d21973af376539eb20eb67e0.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Loads dropped DLL
- Drops file in System32 directory
PID:4492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k tcqezb
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qvbioo.dll

Filesize
32KB

MD5
92a0efb83495c93a1a0dcb04de55f4c2

SHA1
be03bb03d7b0d2ca750c50779a03e58c9df8fae0

SHA256
50a3c8bf3f55671917f60379b9f717da052401a452094fd5bac93d30c80448ba

SHA512
ac9d2b9ccaa9a8c558eae027d42f344aca7677b1364cf8617129b9784ffd7179c4ed1ee9f92f61c0d2d01189fae92ea264b8a9e197deb00b6a723828f7fbdc13

Download Submit
C:\Windows\SysWOW64\qvbioo.dll

Filesize
41KB

MD5
75d401183ffc973f336bee6e8c723956

SHA1
24937aaebf281dc83661af4c4694569764433c6a

SHA256
8f14cc63869bd1f27776d6f98856f2bd22e684de945b3f018832e5625099afbb

SHA512
a13a15f3c944405b5fc9b6d8f1ac36d18df5ae8c24c4b9839e13c795fbf4e5b4b06d5aa487c1273f3cfb645a64b160588b3e38a87f88249191265e925ce236ac

Download Submit
\??\c:\windows\SysWOW64\qvbioo.dll

Filesize
21KB

MD5
6691516d76bea6d00d841d9ffdf16387

SHA1
fb9769db660f435b9432dd244f2f28e3d579b0b0

SHA256
769f3ed64c1eb9f594bef18ca22069647a5f849963541fcb9a82599215aefde7

SHA512
99688cb0b832da62cf7a69a2a9a795a9d69a7a8e635bf5e1621f5f00b3a5a2556d566ef4b2924230d60f448599e060aee9313b705cf05934e73f07759fddb987

Download Submit