4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 05:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe
Size

220KB
MD5

29bcfd98f86cf162cfd8f8702ee34070
SHA1

07655bd4ef6b7089e1d50ef51e138f081c32cd89
SHA256

4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212
SHA512

695b56454c6ca7f57b1c314611839800e33d710592f8bc81fa762d1a910dc8121dbd29906b5ec66281d00df9b5333af00d8f892993ac3e4457415c548441daf5
SSDEEP

6144:/R2zP+yfsBqacKMBgx/qv+zghESskltX2Q:QzsBqfNSiv858F

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	8.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	8.exe

Executes dropped EXE 2 IoCs

pid	Process
4492	QvodSetupPlus3.0.exe
4452	8.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e04-134.dat	upx
behavioral2/files/0x0006000000022e04-133.dat	upx
behavioral2/memory/4492-140-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4492-155-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe

Loads dropped DLL 2 IoCs

pid	Process
4288	rundll32.exe
4452	8.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	8.exe
File opened for modification	C:\autorun.inf	8.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpq.dll	8.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3360	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3160	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2252	taskkill.exe
4556	taskkill.exe
1580	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe
4288	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	4288	rundll32.exe
Token: SeDebugPrivilege	4288	rundll32.exe
Token: SeDebugPrivilege	4288	rundll32.exe
Token: SeDebugPrivilege	4288	rundll32.exe
Token: SeDebugPrivilege	4288	rundll32.exe
Token: SeDebugPrivilege	4288	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4492	QvodSetupPlus3.0.exe
4492	QvodSetupPlus3.0.exe
4492	QvodSetupPlus3.0.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4492	QvodSetupPlus3.0.exe
4492	QvodSetupPlus3.0.exe
4492	QvodSetupPlus3.0.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4492	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	81
PID 4788 wrote to memory of 4492	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	81
PID 4788 wrote to memory of 4492	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	81
PID 4788 wrote to memory of 4452	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	82
PID 4788 wrote to memory of 4452	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	82
PID 4788 wrote to memory of 4452	4788	4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe	82
PID 4452 wrote to memory of 3168	4452	8.exe	83
PID 4452 wrote to memory of 3168	4452	8.exe	83
PID 4452 wrote to memory of 3168	4452	8.exe	83
PID 4452 wrote to memory of 748	4452	8.exe	84
PID 4452 wrote to memory of 748	4452	8.exe	84
PID 4452 wrote to memory of 748	4452	8.exe	84
PID 4452 wrote to memory of 1940	4452	8.exe	85
PID 4452 wrote to memory of 1940	4452	8.exe	85
PID 4452 wrote to memory of 1940	4452	8.exe	85
PID 4452 wrote to memory of 2168	4452	8.exe	88
PID 4452 wrote to memory of 2168	4452	8.exe	88
PID 4452 wrote to memory of 2168	4452	8.exe	88
PID 4452 wrote to memory of 1092	4452	8.exe	89
PID 4452 wrote to memory of 1092	4452	8.exe	89
PID 4452 wrote to memory of 1092	4452	8.exe	89
PID 4452 wrote to memory of 4640	4452	8.exe	92
PID 4452 wrote to memory of 4640	4452	8.exe	92
PID 4452 wrote to memory of 4640	4452	8.exe	92
PID 3168 wrote to memory of 4700	3168	cmd.exe	95
PID 3168 wrote to memory of 4700	3168	cmd.exe	95
PID 3168 wrote to memory of 4700	3168	cmd.exe	95
PID 748 wrote to memory of 2952	748	cmd.exe	96
PID 748 wrote to memory of 2952	748	cmd.exe	96
PID 748 wrote to memory of 2952	748	cmd.exe	96
PID 2168 wrote to memory of 4556	2168	cmd.exe	98
PID 2168 wrote to memory of 4556	2168	cmd.exe	98
PID 2168 wrote to memory of 4556	2168	cmd.exe	98
PID 4640 wrote to memory of 2252	4640	cmd.exe	97
PID 4640 wrote to memory of 2252	4640	cmd.exe	97
PID 4640 wrote to memory of 2252	4640	cmd.exe	97
PID 1940 wrote to memory of 3360	1940	cmd.exe	99
PID 1940 wrote to memory of 3360	1940	cmd.exe	99
PID 1940 wrote to memory of 3360	1940	cmd.exe	99
PID 1092 wrote to memory of 1580	1092	cmd.exe	100
PID 1092 wrote to memory of 1580	1092	cmd.exe	100
PID 1092 wrote to memory of 1580	1092	cmd.exe	100
PID 4452 wrote to memory of 4288	4452	8.exe	102
PID 4452 wrote to memory of 4288	4452	8.exe	102
PID 4452 wrote to memory of 4288	4452	8.exe	102
PID 4452 wrote to memory of 3160	4452	8.exe	110
PID 4452 wrote to memory of 3160	4452	8.exe	110
PID 4452 wrote to memory of 3160	4452	8.exe	110

C:\Users\Admin\AppData\Local\Temp\4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe
"C:\Users\Admin\AppData\Local\Temp\4853e9cda86876130f41d660e84c709087904185d4f0ca0c1415a00bb288b212.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.0.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\8.exe
  "C:\Users\Admin\AppData\Local\Temp\8.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows /e /p everyone:f
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config ekrn start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      4⤵
      Launches sc.exe
      PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ekrn.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im egui.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ScanFrm.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ScanFrm.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe func.dll, droqp
    3⤵
    - Drops file in Drivers directory
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4288
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
31KB

MD5
d9d04e675f87171eab9b055fef86b46d

SHA1
f336ca3ad752c01c9a06a0242c94eb2b9d770680

SHA256
8b25daa7cbe9d46225f9a5fcb82ae5482409088d9dcd83db3d2fa6da8345e7f5

SHA512
5c49e7078d6810aa3c9f157b66fb8342ad7c653cfc821cc4af5a6184bb92918d307a7a27e1e23fecbab265f849285b79ed2e2a34ff08b374c03b4450cb2aa286

Download Submit
C:\Users\Admin\AppData\Local\Temp\8.exe

Filesize
31KB

MD5
d9d04e675f87171eab9b055fef86b46d

SHA1
f336ca3ad752c01c9a06a0242c94eb2b9d770680

SHA256
8b25daa7cbe9d46225f9a5fcb82ae5482409088d9dcd83db3d2fa6da8345e7f5

SHA512
5c49e7078d6810aa3c9f157b66fb8342ad7c653cfc821cc4af5a6184bb92918d307a7a27e1e23fecbab265f849285b79ed2e2a34ff08b374c03b4450cb2aa286

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.0.exe

Filesize
149KB

MD5
813a50e98c2713fe162850040e6d4288

SHA1
32cdfd3eed2c3ba0cfe91d2c03736e7c78e7db3f

SHA256
62ff24a1070fc40fa1f13043a61c87d50e80e1f2f734db0e03f38e4fd4db32ba

SHA512
bdbe30bbb0d22cc5979a1d2762169e9aea2fc35f91343f094bbf4a90c322ec3e86595ee4a289bf32e221beeb5a75cd9128e2f41d90d47e6f41975016473e842a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QvodSetupPlus3.0.exe

Filesize
149KB

MD5
813a50e98c2713fe162850040e6d4288

SHA1
32cdfd3eed2c3ba0cfe91d2c03736e7c78e7db3f

SHA256
62ff24a1070fc40fa1f13043a61c87d50e80e1f2f734db0e03f38e4fd4db32ba

SHA512
bdbe30bbb0d22cc5979a1d2762169e9aea2fc35f91343f094bbf4a90c322ec3e86595ee4a289bf32e221beeb5a75cd9128e2f41d90d47e6f41975016473e842a

Download Submit
C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
534efcd3197edc9906072345a4b97ef7

SHA1
f6d544cfdb1cad87375e31bc199bc0aa68022617

SHA256
62fb66c7fa9edf7851ed484bbcd986c098d09896afa32ebbf5d478ab476b9695

SHA512
dd94eade742b66c881ac1ad52f0b501845947c689a73c7e0f8dc44aa8dc1d8964031619928a0aec2fa2568204cb5937cb370e463f12083387fb6123a0e94ad21

Download Submit
C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
534efcd3197edc9906072345a4b97ef7

SHA1
f6d544cfdb1cad87375e31bc199bc0aa68022617

SHA256
62fb66c7fa9edf7851ed484bbcd986c098d09896afa32ebbf5d478ab476b9695

SHA512
dd94eade742b66c881ac1ad52f0b501845947c689a73c7e0f8dc44aa8dc1d8964031619928a0aec2fa2568204cb5937cb370e463f12083387fb6123a0e94ad21

Download Submit
C:\Windows\phpq.dll

Filesize
44KB

MD5
6a0d65a4fdce08f8807c6b56e50c1d9e

SHA1
c07a264796d93b13144230a67437b90e6778a7d5

SHA256
2923dbf9a5202c43024b230cee7b62d8bacb312892204dfb3dec6ecc4f738c11

SHA512
9fabf4048a17965f4478634237d67fe889d740feed03a21792330478c6d47d78ac9586fe4575795c8073272f0f8f21eb106e199ba5f8c8d6688b0eabfc10de91

Download Submit
memory/4452-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4492-140-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4492-155-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download