02070af1fb7addd7e49ec65159e87b2505ece1e70e173d4f9553e7f33228b0f4

Resubmissions

01-02-2023 15:15

230201-snbdlscb9v 8

01-02-2023 14:40

230201-r1wdwaab29 8

Analysis

max time kernel
597s
max time network
597s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QTN SH-23-091406(LR1 CARRIER).exe
Size

286KB
MD5

3d2997c1e6e61f075938e9db2cff60bb
SHA1

0b3a1e43e74c878e0a1223f142db9fe56948c22a
SHA256

02070af1fb7addd7e49ec65159e87b2505ece1e70e173d4f9553e7f33228b0f4
SHA512

88e26fc6462c1cb9ca4a819766076f6f43786ffa006ef576d3c4c7d079cc96d94bf7f38e42a2e5833c2b843cba7b4387d3909da906e0ecacbfa45265d0751f75
SSDEEP

6144:/Ya6U2BGwSDlDTpk56wqDqnXdx8WVYIOTbGx8KwUk0/66/XFT9w:/Y6q2N1mBqDqdx7VYFbGSFyD9w

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2040	lymyzhuji.exe
900	lymyzhuji.exe
976	updatecfn.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	lymyzhuji.exe

Loads dropped DLL 7 IoCs

pid	Process
852	QTN SH-23-091406(LR1 CARRIER).exe
2040	lymyzhuji.exe
1320	NAPSTAT.EXE
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NAPSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RP-HAVP0 = "C:\\Program Files (x86)\\Cqvx\\updatecfn.exe"	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 900	2040	lymyzhuji.exe	29
PID 900 set thread context of 1244	900	lymyzhuji.exe	10
PID 1320 set thread context of 1244	1320	NAPSTAT.EXE	10

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Cqvx\updatecfn.exe	NAPSTAT.EXE
File created	C:\Program Files (x86)\Cqvx\updatecfn.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	976	WerFault.exe	34

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
900	lymyzhuji.exe
900	lymyzhuji.exe
900	lymyzhuji.exe
900	lymyzhuji.exe
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2040	lymyzhuji.exe
900	lymyzhuji.exe
900	lymyzhuji.exe
900	lymyzhuji.exe
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE
1320	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	lymyzhuji.exe
Token: SeDebugPrivilege	1320	NAPSTAT.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE
Token: SeShutdownPrivilege	1244	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2040	852	QTN SH-23-091406(LR1 CARRIER).exe	28
PID 852 wrote to memory of 2040	852	QTN SH-23-091406(LR1 CARRIER).exe	28
PID 852 wrote to memory of 2040	852	QTN SH-23-091406(LR1 CARRIER).exe	28
PID 852 wrote to memory of 2040	852	QTN SH-23-091406(LR1 CARRIER).exe	28
PID 2040 wrote to memory of 900	2040	lymyzhuji.exe	29
PID 2040 wrote to memory of 900	2040	lymyzhuji.exe	29
PID 2040 wrote to memory of 900	2040	lymyzhuji.exe	29
PID 2040 wrote to memory of 900	2040	lymyzhuji.exe	29
PID 2040 wrote to memory of 900	2040	lymyzhuji.exe	29
PID 1244 wrote to memory of 1320	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1320	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1320	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1320	1244	Explorer.EXE	30
PID 1320 wrote to memory of 436	1320	NAPSTAT.EXE	33
PID 1320 wrote to memory of 436	1320	NAPSTAT.EXE	33
PID 1320 wrote to memory of 436	1320	NAPSTAT.EXE	33
PID 1320 wrote to memory of 436	1320	NAPSTAT.EXE	33
PID 1320 wrote to memory of 436	1320	NAPSTAT.EXE	33
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 1244 wrote to memory of 976	1244	Explorer.EXE	34
PID 976 wrote to memory of 2032	976	updatecfn.exe	35
PID 976 wrote to memory of 2032	976	updatecfn.exe	35
PID 976 wrote to memory of 2032	976	updatecfn.exe	35
PID 976 wrote to memory of 2032	976	updatecfn.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\QTN SH-23-091406(LR1 CARRIER).exe
  "C:\Users\Admin\AppData\Local\Temp\QTN SH-23-091406(LR1 CARRIER).exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe
    "C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe" C:\Users\Admin\AppData\Local\Temp\qfnwda.w
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe
      "C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:900
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:436
- C:\Program Files (x86)\Cqvx\updatecfn.exe
  "C:\Program Files (x86)\Cqvx\updatecfn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 252
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
C:\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kclteso.g

Filesize
206KB

MD5
3e08f4aa8a21b0e29f1d9b6c4e7eff83

SHA1
10a64687c0dfb9eac84debd5e05133277016f1a9

SHA256
d562dadb357c59a91114d3075ecb5f57a2a631ade47526a8bb2f1ee4dcaae3ef

SHA512
5681b34010de69e3749bb3a63f6713f1429a131e39041330af4bd5968a243b1eaace06238e8b4bd3ff6b9e81141a0279dfad47c8f75b69701bc088798996c3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lymyzhuji.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfnwda.w

Filesize
6KB

MD5
6cb9208d5fc7e047af601dad5d7d3e1e

SHA1
81a2456dee4fe3ce5089af59bb36ed0f66df11d9

SHA256
0ac5240140e8daadf1817991636c5884e963ccb6fc6f0ed0d875fd80e819901b

SHA512
9355b9e454e775a14c5074712bbced499b8fbf20d229e619db5a5f6258cd8d6b6ab02e15560b79b25560c79f9d2074789867027ffb36a480935afc0d326a3066

Download Submit
\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Program Files (x86)\Cqvx\updatecfn.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Users\Admin\AppData\Local\Temp\lymyzhuji.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Users\Admin\AppData\Local\Temp\lymyzhuji.exe

Filesize
79KB

MD5
e946f9aa40e124901d4bf58c6dbd3d30

SHA1
58efac981c3ff79410aedd801cd84a4677b76ecf

SHA256
59236e9c1601421dd9a07ff998145a3b2d01f3642b422b1f099e3a9d2c02b30a

SHA512
8c9c9edca258e2a98a730ed90a55856ccc8a4bc638e0554b6c9ae81183386cf3e7d5779054e242a89da88c1d7af99f60270c88ad4f991259d8e894292b8f83cf

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
837KB

MD5
e1b58e0aa1b377a1d0e940660ad1ace1

SHA1
5afc7291b26855b1252b26381ebc85ed3cca218f

SHA256
1b98c006231d38524e2278a474c49274fe42e0bb1a31bcfda02e6e32f559b777

SHA512
9ce778bcb586638662b090910c4ceab3b64e16dfaf905a7581c1d349fecdf186995b3cc0dc8c6fc6e9761ea2831d7b14ac1619c2bd5ebc6d18015842e5d94aa2

Download Submit
memory/852-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/900-63-0x00000000004012E0-mapping.dmp

Download
memory/900-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-66-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/900-67-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/976-79-0x0000000000000000-mapping.dmp

Download
memory/1244-77-0x0000000004D40000-0x0000000004E17000-memory.dmp

Filesize
860KB

Download
memory/1244-74-0x0000000004D40000-0x0000000004E17000-memory.dmp

Filesize
860KB

Download
memory/1244-68-0x0000000006E60000-0x0000000006F75000-memory.dmp

Filesize
1.1MB

Download
memory/1320-75-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1320-73-0x0000000000840000-0x00000000008CF000-memory.dmp

Filesize
572KB

Download
memory/1320-72-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/1320-70-0x0000000000F90000-0x0000000000FD6000-memory.dmp

Filesize
280KB

Download
memory/1320-71-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1320-69-0x0000000000000000-mapping.dmp

Download
memory/2032-82-0x0000000000000000-mapping.dmp

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download