eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
75s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/05/2023, 19:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/QSO J1228+3128.bat
Size

129KB
MD5

b9b35fbe7121c90f368b13e97bf574a7
SHA1

46c6fb9f06fffa4de1aacb73d4a3436664f79a8a
SHA256

cae015c5705155cc6e2f49263aacef3bc8e4bfd9c2f29886a077471cd5dac447
SHA512

79dcab087efb28845eae2124b559fb5d8188b9d86ae2bf2ac26bcc9a3d4b41acd656e061465900b86cddd0efff35fd987e562ddac5f266fcc2c67ee76a37a9e9
SSDEEP

3072:esyMBvZXdYcpRXphFVhyelsqYTsjLXQ83N83qxho7Y:ewRXqcjDFLyPZT83N83Wik

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\classpnp.sys	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ndis.sys	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ntfs.sys	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\drivers\disk.sys	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\drivers\acpi.sys	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\drivers\cdrom.sys	QSO J1228+3128.exe

Sets file execution options in registry 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edge.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Task Manager.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edge.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PartAssit.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Task Manager.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PartAssit.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe	QSO J1228+3128.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "winlogon.exe"	QSO J1228+3128.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	QSO J1228+3128.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QSO J1228+3128.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hal.dll	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\ntoskrnl.exe	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\winload.exe	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	QSO J1228+3128.exe
File opened for modification	C:\Windows\SysWOW64\logonui.exe	QSO J1228+3128.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1128	QSO J1228+3128.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe
1128	QSO J1228+3128.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1128	QSO J1228+3128.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1128	QSO J1228+3128.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1544	cscript.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1544	840	cmd.exe	28
PID 840 wrote to memory of 1544	840	cmd.exe	28
PID 840 wrote to memory of 1544	840	cmd.exe	28
PID 840 wrote to memory of 1128	840	cmd.exe	29
PID 840 wrote to memory of 1128	840	cmd.exe	29
PID 840 wrote to memory of 1128	840	cmd.exe	29
PID 840 wrote to memory of 1128	840	cmd.exe	29

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4"	QSO J1228+3128.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\QSO J1228+3128.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\system32\cscript.exe
  cscript x.js
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1544
- C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe
  "C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets file execution options in registry
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TROJAN~1\z.zip

Filesize
85KB

MD5
1440570efffe6886be86d1b2986993d2

SHA1
8104d2543bf2f15748763228c2624c70e787a2e2

SHA256
72ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041

SHA512
66ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x

Filesize
4KB

MD5
b663af1dd37b13b63882eb671a79b30a

SHA1
e63eb96461fa0ea3ebd28f0a8863b8413a5a2819

SHA256
1cd9a41122483ca9b24c5ce8f2fcf93388d10c1e2fadf6200966f4d14c975f46

SHA512
7bc69423529a48db05c971e044eef75fa4f9d9afcd99b3bb236163d578099c47828b5f16872df2c9ea4569eb7b721ef213921adae91ea0734acebf727bfcb91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x

Filesize
116KB

MD5
2e000614aec93ce7ae46dd2eccbd4909

SHA1
3729179982898079d2e618dfc5c761032660d2d8

SHA256
a7a5732ab9f859e4412b8efc73f32991d702632b37c7b389b6c1cb9c6d3ed0d9

SHA512
eb4a886306bd20e334a3dfaddebb18cf9b7cb1b1c40221e6d88a4fbe78b07476ef3f6ffcaace8aa4db986e9b2670f1428c106b400cf46a8e718db6de7ae39732

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x.js

Filesize
448B

MD5
8eec8704d2a7bc80b95b7460c06f4854

SHA1
1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

SHA256
aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

SHA512
e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

Download Submit
C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\z.zip

Filesize
85KB

MD5
1440570efffe6886be86d1b2986993d2

SHA1
8104d2543bf2f15748763228c2624c70e787a2e2

SHA256
72ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041

SHA512
66ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a

Download Submit
C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe

Filesize
206KB

MD5
d5f741b0bb991604d5331de863d49d8b

SHA1
1c73d032211696e954259b48c3e83029d7852846

SHA256
adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d

SHA512
a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30

Download Submit
C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe

Filesize
206KB

MD5
d5f741b0bb991604d5331de863d49d8b

SHA1
1c73d032211696e954259b48c3e83029d7852846

SHA256
adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d

SHA512
a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30

Download Submit
memory/1544-1611-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download