cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894

Analysis

max time kernel
202s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
Size

238KB
MD5

3530eb38cda7eb092cd2d798711ad2a4
SHA1

b02f76e8ddc83b5b9c9bd4413923b6fe8e527ef2
SHA256

cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894
SHA512

eb59243e8fd215e32b90234712de6e1ec450ec82278214af0e1f7dc868622b4b96396e88f1d37e858941aef237fbc808ef50d6da2fe6e10685a1df5ee9f776d8
SSDEEP

6144:wSoWmplEgXjLsffIL1T9RCX3amyVVROMrkUefK0H:yWmplLX33RCJMrk20H

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2044	A_v_DVD.dll
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
2308	services.exe
3436	A_v_AuTo.dll
1712	services.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023181-150.dat	upx
behavioral2/files/0x0007000000023181-151.dat	upx
behavioral2/memory/3436-154-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Internet = "C:\\Program Files\\Common Files\\Microsoft Shared\\services.exe"	A_v_AuTo.dll

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_bind.au	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Au_ing_Code.ini	services.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dw.ocx	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.ocx	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\services.exe	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\services.exe	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Tj.ocx	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_Dvd.ocx	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
File created	C:\Program Files\Common Files\Microsoft Shared\A_v_TT.dll	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3436	A_v_AuTo.dll
3436	A_v_AuTo.dll
3436	A_v_AuTo.dll
3436	A_v_AuTo.dll
3436	A_v_AuTo.dll
3436	A_v_AuTo.dll

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	services.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
220	qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 2044	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	82
PID 5028 wrote to memory of 2044	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	82
PID 5028 wrote to memory of 2044	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	82
PID 2044 wrote to memory of 220	2044	A_v_DVD.dll	83
PID 2044 wrote to memory of 220	2044	A_v_DVD.dll	83
PID 2044 wrote to memory of 220	2044	A_v_DVD.dll	83
PID 5028 wrote to memory of 2308	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	87
PID 5028 wrote to memory of 2308	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	87
PID 5028 wrote to memory of 2308	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	87
PID 5028 wrote to memory of 3436	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	88
PID 5028 wrote to memory of 3436	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	88
PID 5028 wrote to memory of 3436	5028	cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe	88
PID 3436 wrote to memory of 1712	3436	A_v_AuTo.dll	89
PID 3436 wrote to memory of 1712	3436	A_v_AuTo.dll	89
PID 3436 wrote to memory of 1712	3436	A_v_AuTo.dll	89

C:\Users\Admin\AppData\Local\Temp\cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe
"C:\Users\Admin\AppData\Local\Temp\cd1ffb100b38bdcb96b80b74e311f5254e51fb6083de8fab7266b50a3a864894.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll
  "C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe
    "C:\Users\Admin\AppData\Local\Temp\qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:220
- C:\Program Files\Common Files\Microsoft Shared\services.exe
  "C:\Program Files\Common Files\Microsoft Shared\services.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2308
- C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll
  "C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Program Files\Common Files\Microsoft Shared\services.exe
    "C:\Program Files\Common Files\Microsoft Shared\services.exe"
    3⤵
    - Executes dropped EXE
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\A_v_AuTo.dll

Filesize
47.7MB

MD5
9adca760d954236a1862cd515809a689

SHA1
5f4c7c82ff5183ba3bd3c417ffa39bad2abb4b29

SHA256
81c7bb69ceeff4009490797b75b47256fe9e42685352c2ce983567646ccb43f0

SHA512
ca84f93c3601007f869b45bdf4df9b7395839ba2599521713160d0eb248bd70e007903945cbf128391122210c86da903886eeb12468cf20f8c4a3e4bbe26237f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\A_v_DVD.dll

Filesize
606KB

MD5
74271ce6fe9c45c99064d50bc2a16571

SHA1
5a9516893bdc856eeb09391f53ade7d71878a09b

SHA256
35b6e1493b77116b569a9fe7026d6f72f2a5bf44ee47db7dd23e5c5d3edcee79

SHA512
bc1ad99a58618e66454b0a04cc6578f73a88827f2071f8dd56d367af86eb6e6007e15e74cba1157885a0d0797c80f4bc299d8355db39e0736631c7116e860ceb

Download Submit
C:\Program Files\Common Files\Microsoft Shared\services.exe

Filesize
47.7MB

MD5
3476301c3257f2481a9ddab543882b1b

SHA1
eaf61082883a7b1a5c408756c726dc453a13fe36

SHA256
afce5c1ba7bebe3682f10c47b4047363ceac1c73bbef1978555150bf14788647

SHA512
cdaa945506516e247caf36b93aa7f965d80880fcaa08ae9bec3b03e4253c232a91aa96fe0e32cde7918e7166f90f540909f54a978b9113f1618eab8702145cd9

Download Submit
C:\Program Files\Common Files\microsoft shared\A_v_AuTo.dll

Filesize
47.7MB

MD5
9adca760d954236a1862cd515809a689

SHA1
5f4c7c82ff5183ba3bd3c417ffa39bad2abb4b29

SHA256
81c7bb69ceeff4009490797b75b47256fe9e42685352c2ce983567646ccb43f0

SHA512
ca84f93c3601007f869b45bdf4df9b7395839ba2599521713160d0eb248bd70e007903945cbf128391122210c86da903886eeb12468cf20f8c4a3e4bbe26237f

Download Submit
C:\Program Files\Common Files\microsoft shared\A_v_DVD.dll

Filesize
606KB

MD5
74271ce6fe9c45c99064d50bc2a16571

SHA1
5a9516893bdc856eeb09391f53ade7d71878a09b

SHA256
35b6e1493b77116b569a9fe7026d6f72f2a5bf44ee47db7dd23e5c5d3edcee79

SHA512
bc1ad99a58618e66454b0a04cc6578f73a88827f2071f8dd56d367af86eb6e6007e15e74cba1157885a0d0797c80f4bc299d8355db39e0736631c7116e860ceb

Download Submit
C:\Program Files\Common Files\microsoft shared\services.exe

Filesize
47.7MB

MD5
3476301c3257f2481a9ddab543882b1b

SHA1
eaf61082883a7b1a5c408756c726dc453a13fe36

SHA256
afce5c1ba7bebe3682f10c47b4047363ceac1c73bbef1978555150bf14788647

SHA512
cdaa945506516e247caf36b93aa7f965d80880fcaa08ae9bec3b03e4253c232a91aa96fe0e32cde7918e7166f90f540909f54a978b9113f1618eab8702145cd9

Download Submit
C:\Program Files\Common Files\microsoft shared\services.exe

Filesize
47.7MB

MD5
3476301c3257f2481a9ddab543882b1b

SHA1
eaf61082883a7b1a5c408756c726dc453a13fe36

SHA256
afce5c1ba7bebe3682f10c47b4047363ceac1c73bbef1978555150bf14788647

SHA512
cdaa945506516e247caf36b93aa7f965d80880fcaa08ae9bec3b03e4253c232a91aa96fe0e32cde7918e7166f90f540909f54a978b9113f1618eab8702145cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe

Filesize
252KB

MD5
bdbc9ab4a7b8a53d126e128820b1fc6b

SHA1
32aa5f3e6398ab3f6b8268a28aa245cf7f1d696e

SHA256
8f18d52b0b69c8dc7ee811897e49421ea418fff0f1db693f8055f279a37ca9cc

SHA512
0fc8eb9479a5876c7401931bb3ee834d3288ca0adf852d35079160af04c7edd8096aab19f012b940185e94168d9a98b39439251b63c05f319b616ed481bdb5a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvod.exe_C2E9D99D7D1CB2645FE9DBB3DEB4F842BA8BE184.exe

Filesize
252KB

MD5
bdbc9ab4a7b8a53d126e128820b1fc6b

SHA1
32aa5f3e6398ab3f6b8268a28aa245cf7f1d696e

SHA256
8f18d52b0b69c8dc7ee811897e49421ea418fff0f1db693f8055f279a37ca9cc

SHA512
0fc8eb9479a5876c7401931bb3ee834d3288ca0adf852d35079160af04c7edd8096aab19f012b940185e94168d9a98b39439251b63c05f319b616ed481bdb5a6

Download Submit
memory/220-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2044-138-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3436-154-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3436-155-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5028-148-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5028-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5028-133-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download