3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca

General

Target

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Size

538KB
MD5

1dbff3a9c709bcd8e87f16d19d068534
SHA1

1e21532245989e09066fe3c07914b7c2746834f7
SHA256

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca
SHA512

7e3c5dde892a67277613bb76299d545bdd03828177098dacb6ebbfe74ea25815bf030d19bf56d44c17ac90b329f1c5fb767cd1810d1c033524e1de79cbc08223
SSDEEP

12288:sBy4GROO333gu/u2edcjd8FP+yItrc6lq:sg4nO3ngu2lHFP+yAlq

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

pid process

1760 3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

pid	process
1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\QugoXrir = "regsvr32.exe \"C:\\ProgramData\\QugoXrir\\QugoXrir.dat\""	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\QugoXrir = "regsvr32.exe \"C:\\ProgramData\\QugoXrir\\QugoXrir.dat\""	Explorer.EXE

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies registry class 6 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{5D48421E-6E11-4807-9926-7F721B8156B1}	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{5D48421E-6E11-4807-9926-7F721B8156B1}\#sd = 433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c54656d705c336165363037663636656637623632303530306665303064636365346538616565653833313464333136653939663335356362356432303961613431303963612e65786500	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{5D48421E-6E11-4807-9926-7F721B8156B1}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{02815A44-60A7-47AB-BA84-07021C643DD0}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{02815A44-60A7-47AB-BA84-07021C643DD0}\{3E43327B-4A11-47C2-9DC3-59392E5F787F} = 58f4f819	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\CLSID\{5D48421E-6E11-4807-9926-7F721B8156B1}\#cert = 31	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exewmiprvse.exe

pid process

1760 3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
1372 wmiprvse.exe
1372 wmiprvse.exe

pid	process
1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
1372	wmiprvse.exe
1372	wmiprvse.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exeExplorer.EXE

description	pid	process
Token: SeCreateGlobalPrivilege	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Token: SeDebugPrivilege	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
Token: SeCreateGlobalPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	1260	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

pid process

1760 3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

pid	process
1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe

description	pid	process	target process
PID 1760 wrote to memory of 360	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	spoolsv.exe
PID 1760 wrote to memory of 360	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	spoolsv.exe
PID 1760 wrote to memory of 1260	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	Explorer.EXE
PID 1760 wrote to memory of 1260	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	Explorer.EXE
PID 1760 wrote to memory of 1944	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	sppsvc.exe
PID 1760 wrote to memory of 1944	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	sppsvc.exe
PID 1760 wrote to memory of 1200	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	WMIADAP.EXE
PID 1760 wrote to memory of 1200	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	WMIADAP.EXE
PID 1760 wrote to memory of 1372	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	wmiprvse.exe
PID 1760 wrote to memory of 1372	1760	3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe	wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1372

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1200

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe
"C:\Users\Admin\AppData\Local\Temp\3ae607f66ef7b620500fe00dcce4e8aeee8314d316e99f355cb5d209aa4109ca.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\QugoXrir\QugoXrir.dat
Filesize
264KB

MD5
d9a38389ef1199cf9c4029cabb078d68

SHA1
2dcd969a875efaa6ccb43fae478c2fdfd12f89b9

SHA256
f7ff7330114c516ee22e874734652f420d9dc3c33d249435052ec84b771091e6

SHA512
6b5715bbc8e1f8027a303c8fdc3b5c00e42f9984a6ea2ecd056bece9ac323f24de77758d14f6ced2486315c251d8414a1036a005f52d6a43ae8c3766faf6f2b2

Download Submit
\ProgramData\QugoXrir\QugoXrir.dat
Filesize
264KB

MD5
d9a38389ef1199cf9c4029cabb078d68

SHA1
2dcd969a875efaa6ccb43fae478c2fdfd12f89b9

SHA256
f7ff7330114c516ee22e874734652f420d9dc3c33d249435052ec84b771091e6

SHA512
6b5715bbc8e1f8027a303c8fdc3b5c00e42f9984a6ea2ecd056bece9ac323f24de77758d14f6ced2486315c251d8414a1036a005f52d6a43ae8c3766faf6f2b2

Download Submit
memory/360-61-0x0000000001CD0000-0x0000000001D24000-memory.dmp

Filesize
336KB

Download
memory/1260-75-0x0000000002B00000-0x0000000002B54000-memory.dmp

Filesize
336KB

Download
memory/1260-76-0x0000000002C60000-0x0000000002CCB000-memory.dmp

Filesize
428KB

Download
memory/1760-54-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1760-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1760-59-0x0000000074AA0000-0x0000000074AD3000-memory.dmp

Filesize
204KB

Download
memory/1760-74-0x0000000074AA0000-0x0000000074B0C000-memory.dmp

Filesize
432KB

Download
memory/1760-78-0x0000000074AA0000-0x0000000074AD3000-memory.dmp

Filesize
204KB

Download
memory/1760-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads