Analysis
-
max time kernel
129s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 13:15
Static task
static1
Behavioral task
behavioral1
Sample
4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe
Resource
win10v2004-20220812-en
General
-
Target
4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe
-
Size
179KB
-
MD5
045246283d63b1757196f302232c8900
-
SHA1
b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
-
SHA256
4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
-
SHA512
37fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f
-
SSDEEP
3072:QWceId2Z+oWP9XEdIJ4/+p6kzATcngTdIY8BkP38mOo6EwBjj:QWcFdtosXEd+4XkOdIvqP38mOoz
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1512 Qkqgqw.exe 1336 Qkqgqw.exe -
Loads dropped DLL 2 IoCs
pid Process 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qkqgqw = "C:\\Users\\Admin\\AppData\\Roaming\\Qkqgqw.exe" 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1956 set thread context of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1512 set thread context of 1336 1512 Qkqgqw.exe 30 -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E054B031-5F23-11ED-9AAE-C6457FCBF3CF} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374649304" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1336 Qkqgqw.exe Token: SeDebugPrivilege 1528 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 268 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 268 IEXPLORE.EXE 268 IEXPLORE.EXE 1528 IEXPLORE.EXE 1528 IEXPLORE.EXE 1528 IEXPLORE.EXE 1528 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1956 wrote to memory of 1256 1956 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 28 PID 1256 wrote to memory of 1512 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 29 PID 1256 wrote to memory of 1512 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 29 PID 1256 wrote to memory of 1512 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 29 PID 1256 wrote to memory of 1512 1256 4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe 29 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1512 wrote to memory of 1336 1512 Qkqgqw.exe 30 PID 1336 wrote to memory of 1608 1336 Qkqgqw.exe 31 PID 1336 wrote to memory of 1608 1336 Qkqgqw.exe 31 PID 1336 wrote to memory of 1608 1336 Qkqgqw.exe 31 PID 1336 wrote to memory of 1608 1336 Qkqgqw.exe 31 PID 1608 wrote to memory of 268 1608 iexplore.exe 32 PID 1608 wrote to memory of 268 1608 iexplore.exe 32 PID 1608 wrote to memory of 268 1608 iexplore.exe 32 PID 1608 wrote to memory of 268 1608 iexplore.exe 32 PID 268 wrote to memory of 1528 268 IEXPLORE.EXE 34 PID 268 wrote to memory of 1528 268 IEXPLORE.EXE 34 PID 268 wrote to memory of 1528 268 IEXPLORE.EXE 34 PID 268 wrote to memory of 1528 268 IEXPLORE.EXE 34 PID 1336 wrote to memory of 1528 1336 Qkqgqw.exe 34 PID 1336 wrote to memory of 1528 1336 Qkqgqw.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"C:\Users\Admin\AppData\Local\Temp\4b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Roaming\Qkqgqw.exe"C:\Users\Admin\AppData\Roaming\Qkqgqw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Roaming\Qkqgqw.exe"C:\Users\Admin\AppData\Roaming\Qkqgqw.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603B
MD5701a777704edcd36d7b8ce76034464a1
SHA1d6e08a46edeeec314babd3e0f0356b957be47400
SHA2561984adf0871781ab4f65dfe389b62d3fb64401675a49a732eb2cb14ebfd67b10
SHA5127b0f924263401219b3b488357b7cbd554be6a29eec6c34a1bf0c1f78fc11c50077b028915eca1425a5480aaa34c32fcdf5700909e706e575caee1fb13d7fc2fb
-
Filesize
179KB
MD5045246283d63b1757196f302232c8900
SHA1b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
SHA2564b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
SHA51237fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f
-
Filesize
179KB
MD5045246283d63b1757196f302232c8900
SHA1b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
SHA2564b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
SHA51237fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f
-
Filesize
179KB
MD5045246283d63b1757196f302232c8900
SHA1b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
SHA2564b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
SHA51237fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f
-
Filesize
179KB
MD5045246283d63b1757196f302232c8900
SHA1b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
SHA2564b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
SHA51237fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f
-
Filesize
179KB
MD5045246283d63b1757196f302232c8900
SHA1b20c27fdfa6d82ca5e5b694bcf98ba15d69c1ead
SHA2564b760312acae848719fc96106c9c6437de4df71c7d797d4c7c7821818b50b0fe
SHA51237fe425afc065334b80636ae533d2e6073b1b31509e092312d4ef59ce184f89969c1279930391fd28fd6d9f1e0c7639834800aee6fb9da94ee457a14256b659f