21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b

General

Target

21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b.exe
Size

275KB
MD5

363fd87c810f25979371925701e5499d
SHA1

d897b7c28089e32eab856b19eaf6fb2d8cfdf052
SHA256

21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b
SHA512

e2ca245da274d0782b77f47d2dfc4b22541fd6edf6b8342418ca6a8ad8fa77857b34a479f49c3b8074551243d61ebeaf39861eb0f906d2119e47b74b79511b0e
SSDEEP

6144:AopvCdxu/PoWFcqOyw3t1WAqSiMJx+VX7BrCkk9azhBZ2XgbDeFC:JKvEPNFcjnfV+VX79/EcpB

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022e7b-138.dat	acprotect
behavioral2/files/0x0006000000022e7b-139.dat	acprotect

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4880	QQPCDownload60116.exe
4296	QQPCDownload.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e7b-138.dat	upx
behavioral2/files/0x0006000000022e7b-139.dat	upx
behavioral2/memory/4296-140-0x0000000010000000-0x00000000101DA000-memory.dmp	upx
behavioral2/memory/4296-141-0x0000000010000000-0x00000000101DA000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	QQPCDownload60116.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b.exe

Loads dropped DLL 1 IoCs

pid	Process
4296	QQPCDownload.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QQPCDownload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	QQPCDownload.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	QQPCDownload.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 415d4521e201f9478015939a4d172c28	QQPCDownload.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4296	QQPCDownload.exe
4296	QQPCDownload.exe
4296	QQPCDownload.exe
4296	QQPCDownload.exe
4296	QQPCDownload.exe
4296	QQPCDownload.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4296	QQPCDownload.exe
4296	QQPCDownload.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4296	4880	QQPCDownload60116.exe	88
PID 4880 wrote to memory of 4296	4880	QQPCDownload60116.exe	88
PID 4880 wrote to memory of 4296	4880	QQPCDownload60116.exe	88

C:\Users\Admin\AppData\Local\Temp\21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b.exe
"C:\Users\Admin\AppData\Local\Temp\21a1abe0337de679cab3d7d12a0466e6941b669b7a054e90631eb69e1eb62b5b.exe"
1⤵
- Checks computer location settings
PID:1984

C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe" ##cmd=1;supplyid=60116
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQDownload.dll

Filesize
636KB

MD5
e2401fa2c7096c83a26153135c389b5c

SHA1
7f453599197034ec36716577d4525e4961444af8

SHA256
a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61

SHA512
a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe

Filesize
449KB

MD5
77f662ee28f3965a4d8f3fc0cf55e5d9

SHA1
c78e1e0846bc5a5be770dd1159266c995b4b6fcb

SHA256
3e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2

SHA512
4fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe

Filesize
449KB

MD5
77f662ee28f3965a4d8f3fc0cf55e5d9

SHA1
c78e1e0846bc5a5be770dd1159266c995b4b6fcb

SHA256
3e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2

SHA512
4fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\qqdownload.dll

Filesize
636KB

MD5
e2401fa2c7096c83a26153135c389b5c

SHA1
7f453599197034ec36716577d4525e4961444af8

SHA256
a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61

SHA512
a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe

Filesize
889KB

MD5
d7df8b258c882fe7ac2229ab26efa83d

SHA1
dc099e6be8e77900f34728d46f331ff6e14dae75

SHA256
9c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0

SHA512
cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe

Filesize
889KB

MD5
d7df8b258c882fe7ac2229ab26efa83d

SHA1
dc099e6be8e77900f34728d46f331ff6e14dae75

SHA256
9c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0

SHA512
cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638

Download Submit
memory/1984-132-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1984-142-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1984-143-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/4296-140-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download
memory/4296-141-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing