6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924

Analysis

max time kernel
38s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
Size

320KB
MD5

05bad1511732aaae7db6487df746ef7b
SHA1

134c49e67137b48cb5ec6189890bc7eca34d017a
SHA256

6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924
SHA512

99f2efbc619517904e3aea01aed95e07c7007406a0d4f329d9a45c3dde7bee5574244801a32d2fb2ffb5ff6171481a24f8158b9aba8a9e6bbfafb1f623da7ea8
SSDEEP

6144:VwUx1ezrkB3lOcjuFJ8vDpUu3PhIbwpMVsTjo:ua7BVWeDqCIm+Go

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1236-111-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1236-113-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1236-115-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1236-116-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1236-122-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1576-121-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1236-120-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1576-124-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-125-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-130-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-131-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1576-135-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1236-134-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-159-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-161-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-162-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-168-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-172-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/648-173-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1236-174-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/1576-175-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 304 set thread context of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 set thread context of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1236	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
1576	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1236	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	27
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28
PID 304 wrote to memory of 1576	304	6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe	28

C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
"C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
  "C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe
  "C:\Users\Admin\AppData\Local\Temp\6994551b273d11690c15c855c6bfd61b75900c2496c1fba825b1444e66901924.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\QNBNV.bat" "
    3⤵
    PID:1968
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Windows" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe" /f
      4⤵
      PID:1928
- - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
    "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
    3⤵
    PID:824
  - - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
      "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
      4⤵
      PID:648
  - - C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe
      "C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe"
      4⤵
      PID:1060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QNBNV.bat

Filesize
155B

MD5
b4ad053d480806ac40ad05f6b1b10599

SHA1
66f02da38b7a04a780cad0aa20ba99df52054411

SHA256
5f73fb4a4791aa86270a1ce25e74bb4c3797ddeb3489d1e3bc8bab82d9c48af9

SHA512
d92eafac9c2786eff26e439cddcd24d1291118ad6679ad71d032099ff34a816ce635d05aa0c9528434e1c60d632d481bb672fb34d28ccc2c7e0ddd13a5177451

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
C:\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
\Users\Admin\AppData\Roaming\S24\WinS24System.exe

Filesize
320KB

MD5
8489efee25e9dee995f8a8733355c1a6

SHA1
8980f49895f067687f7ca09153384b305e346737

SHA256
91af52bdabbdb415b5fbb6cfbb11012ec3dcc7ad5ada8ade53b1e153f4bf88e4

SHA512
e26a686e5854938dd8803784e15c42b9e98f76b7e8f71750d90a66d6827add51ca58056a507b3e68ab8719a06db13e618f0d647cfcb960782c44c500afff8cd1

Download Submit
memory/648-161-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/648-159-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/648-162-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/648-173-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/648-172-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/648-168-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/824-149-0x00000000005EC000-0x00000000005F1000-memory.dmp

Filesize
20KB

Download
memory/824-153-0x00000000005F3000-0x0000000000616000-memory.dmp

Filesize
140KB

Download
memory/824-152-0x00000000005F3000-0x0000000000616000-memory.dmp

Filesize
140KB

Download
memory/824-154-0x00000000005F3000-0x0000000000616000-memory.dmp

Filesize
140KB

Download
memory/824-151-0x00000000005F3000-0x0000000000616000-memory.dmp

Filesize
140KB

Download
memory/1236-111-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-113-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-110-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-122-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-120-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1236-174-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1576-124-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-125-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-121-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-136-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1576-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-131-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-130-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-119-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1576-175-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download