c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf

Analysis

max time kernel
151s
max time network
166s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
Size

297KB
MD5

8b3b917ae185bd8d11e6d3701122b2f5
SHA1

4e9f92e82a2f93131f6196aca11031b111c62965
SHA256

c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf
SHA512

e7d253f78580396e9ce186bcf999da8956016010f23bd5fa03ff4f1a2dbe0c8dff136ef32d8e05680370ba1b1284a22ffd9a0c75c18022457fd7296716fd70c7
SSDEEP

6144:VcN8VUCEz65mSt1IdDQPGKT4m29fLC+uaMDtBDSDxexPwE:VcYUxz65mSQdsPGKT/sCvaMDtBuNedwE

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	paguq.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012315-55.dat	upx
behavioral1/files/0x000c000000012315-56.dat	upx
behavioral1/files/0x000c000000012315-58.dat	upx
behavioral1/files/0x000c000000012315-60.dat	upx

Deletes itself 1 IoCs

pid	Process
564	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	paguq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7BD94DA8-4FEF-AD4D-5225-887A4931AB67} = "C:\\Users\\Admin\\AppData\\Roaming\\Qyvera\\paguq.exe"	paguq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 964 set thread context of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe
1724	paguq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
Token: SeSecurityPrivilege	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
Token: SeSecurityPrivilege	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 1724	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	28
PID 964 wrote to memory of 1724	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	28
PID 964 wrote to memory of 1724	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	28
PID 964 wrote to memory of 1724	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	28
PID 1724 wrote to memory of 1128	1724	paguq.exe	18
PID 1724 wrote to memory of 1128	1724	paguq.exe	18
PID 1724 wrote to memory of 1128	1724	paguq.exe	18
PID 1724 wrote to memory of 1128	1724	paguq.exe	18
PID 1724 wrote to memory of 1128	1724	paguq.exe	18
PID 1724 wrote to memory of 1192	1724	paguq.exe	17
PID 1724 wrote to memory of 1192	1724	paguq.exe	17
PID 1724 wrote to memory of 1192	1724	paguq.exe	17
PID 1724 wrote to memory of 1192	1724	paguq.exe	17
PID 1724 wrote to memory of 1192	1724	paguq.exe	17
PID 1724 wrote to memory of 1268	1724	paguq.exe	16
PID 1724 wrote to memory of 1268	1724	paguq.exe	16
PID 1724 wrote to memory of 1268	1724	paguq.exe	16
PID 1724 wrote to memory of 1268	1724	paguq.exe	16
PID 1724 wrote to memory of 1268	1724	paguq.exe	16
PID 1724 wrote to memory of 964	1724	paguq.exe	19
PID 1724 wrote to memory of 964	1724	paguq.exe	19
PID 1724 wrote to memory of 964	1724	paguq.exe	19
PID 1724 wrote to memory of 964	1724	paguq.exe	19
PID 1724 wrote to memory of 964	1724	paguq.exe	19
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29
PID 964 wrote to memory of 564	964	c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe
  "C:\Users\Admin\AppData\Local\Temp\c1e97786db3e715c619c693c999e64f3999d34d9739bb738bdc20d2cf276f0cf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Roaming\Qyvera\paguq.exe
    "C:\Users\Admin\AppData\Roaming\Qyvera\paguq.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6757f24d.bat"
    3⤵
    - Deletes itself
    PID:564

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6757f24d.bat

Filesize
307B

MD5
52e697a16f1161e32a89accceef20e80

SHA1
7a677ede990a5d0950591bddf64063745dd26f81

SHA256
682ae9c37eaf063db58243b8999047c420a3c14e0b6db489a598ff3047e45cdb

SHA512
3905639b64b0e5872cb04f758c0e6d66c7de609f60e1a9a5c31824162948c1444e6d5d5d52a0f9862212feb97a58942a4b153f8120650fe4334d4fe13aa19e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Keor\ypaku.qex

Filesize
398B

MD5
fda5d7e81a1367f7513b507651aba641

SHA1
ebbcd635f4780b2fedebdcc538beddcc5475d941

SHA256
f47b459705cd0f9eed372984d44ccdb685dc030ea4b4bbff61f580abb27de476

SHA512
1c07c5f8a0aade28c3a630517f2c46cfa13086d54eb36d8e2cc71c088fe9a2c0cb514ff4e546ea34c268785073570fab7bc57cb276fd5b65fa6aa606680e11b1

Download Submit
C:\Users\Admin\AppData\Roaming\Qyvera\paguq.exe

Filesize
297KB

MD5
aaac81d906f7b5cd506c2643c2743551

SHA1
b557068227e5023b46b3b17a22ef5d8d4699fd0e

SHA256
90474b87bf9ca19171dc7ad866dd63cae13d4dcca7c6e3208020ed2ce39e11f3

SHA512
8efca2eb45a4eb5bf9be385ad12b00eacd5ac470e5df2cdd89b4b0263012e25e88d905e475ee70720cb5bf918c2ba91be51363d9747350bd97c812b3db54a9b2

Download Submit
C:\Users\Admin\AppData\Roaming\Qyvera\paguq.exe

Filesize
297KB

MD5
aaac81d906f7b5cd506c2643c2743551

SHA1
b557068227e5023b46b3b17a22ef5d8d4699fd0e

SHA256
90474b87bf9ca19171dc7ad866dd63cae13d4dcca7c6e3208020ed2ce39e11f3

SHA512
8efca2eb45a4eb5bf9be385ad12b00eacd5ac470e5df2cdd89b4b0263012e25e88d905e475ee70720cb5bf918c2ba91be51363d9747350bd97c812b3db54a9b2

Download Submit
\Users\Admin\AppData\Roaming\Qyvera\paguq.exe

Filesize
297KB

MD5
aaac81d906f7b5cd506c2643c2743551

SHA1
b557068227e5023b46b3b17a22ef5d8d4699fd0e

SHA256
90474b87bf9ca19171dc7ad866dd63cae13d4dcca7c6e3208020ed2ce39e11f3

SHA512
8efca2eb45a4eb5bf9be385ad12b00eacd5ac470e5df2cdd89b4b0263012e25e88d905e475ee70720cb5bf918c2ba91be51363d9747350bd97c812b3db54a9b2

Download Submit
\Users\Admin\AppData\Roaming\Qyvera\paguq.exe

Filesize
297KB

MD5
aaac81d906f7b5cd506c2643c2743551

SHA1
b557068227e5023b46b3b17a22ef5d8d4699fd0e

SHA256
90474b87bf9ca19171dc7ad866dd63cae13d4dcca7c6e3208020ed2ce39e11f3

SHA512
8efca2eb45a4eb5bf9be385ad12b00eacd5ac470e5df2cdd89b4b0263012e25e88d905e475ee70720cb5bf918c2ba91be51363d9747350bd97c812b3db54a9b2

Download Submit
memory/564-101-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/564-94-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/564-92-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/564-96-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/564-95-0x0000000000050000-0x000000000008D000-memory.dmp

Filesize
244KB

Download
memory/964-85-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/964-87-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/964-84-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/964-83-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/964-98-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/964-88-0x0000000002810000-0x0000000002C0F000-memory.dmp

Filesize
4.0MB

Download
memory/964-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/964-81-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/964-82-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/1128-63-0x0000000001CB0000-0x0000000001CED000-memory.dmp

Filesize
244KB

Download
memory/1128-66-0x0000000001CB0000-0x0000000001CED000-memory.dmp

Filesize
244KB

Download
memory/1128-65-0x0000000001CB0000-0x0000000001CED000-memory.dmp

Filesize
244KB

Download
memory/1128-64-0x0000000001CB0000-0x0000000001CED000-memory.dmp

Filesize
244KB

Download
memory/1128-61-0x0000000001CB0000-0x0000000001CED000-memory.dmp

Filesize
244KB

Download
memory/1192-72-0x0000000001C00000-0x0000000001C3D000-memory.dmp

Filesize
244KB

Download
memory/1192-71-0x0000000001C00000-0x0000000001C3D000-memory.dmp

Filesize
244KB

Download
memory/1192-70-0x0000000001C00000-0x0000000001C3D000-memory.dmp

Filesize
244KB

Download
memory/1192-69-0x0000000001C00000-0x0000000001C3D000-memory.dmp

Filesize
244KB

Download
memory/1268-78-0x0000000002610000-0x000000000264D000-memory.dmp

Filesize
244KB

Download
memory/1268-77-0x0000000002610000-0x000000000264D000-memory.dmp

Filesize
244KB

Download
memory/1268-76-0x0000000002610000-0x000000000264D000-memory.dmp

Filesize
244KB

Download
memory/1268-75-0x0000000002610000-0x000000000264D000-memory.dmp

Filesize
244KB

Download
memory/1724-89-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/1724-102-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download