Overview
overview
8Static
static
7trojan-lea...ic.exe
windows10-1703-x64
6trojan-lea...ic.exe
windows7-x64
6trojan-lea...ic.exe
windows10-2004-x64
trojan-lea...um.exe
windows10-1703-x64
1trojan-lea...um.exe
windows7-x64
1trojan-lea...um.exe
windows10-2004-x64
1trojan-lea...3).rar
windows10-1703-x64
3trojan-lea...3).rar
windows7-x64
3trojan-lea...3).rar
windows10-2004-x64
trojan-lea...um.exe
windows10-1703-x64
8trojan-lea...um.exe
windows7-x64
8trojan-lea...um.exe
windows10-2004-x64
8trojan-lea...28.bat
windows10-1703-x64
8trojan-lea...28.bat
windows7-x64
8trojan-lea...28.bat
windows10-2004-x64
8trojan-lea...28.exe
windows10-1703-x64
8trojan-lea...28.exe
windows7-x64
8trojan-lea...28.exe
windows10-2004-x64
8trojan-lea...va.rar
windows10-1703-x64
3trojan-lea...va.rar
windows7-x64
3trojan-lea...va.rar
windows10-2004-x64
3trojan-lea...ME.txt
windows10-1703-x64
1trojan-lea...ME.txt
windows7-x64
1trojan-lea...ME.txt
windows10-2004-x64
1trojan-lea...na.exe
windows10-1703-x64
5trojan-lea...na.exe
windows7-x64
5trojan-lea...na.exe
windows10-2004-x64
trojan-lea...me.txt
windows10-1703-x64
1trojan-lea...me.txt
windows7-x64
1trojan-lea...me.txt
windows10-2004-x64
1Resubmissions
09-05-2023 19:22
230509-x3fn4adg58 1009-05-2023 19:14
230509-xxsrgaff7x 1009-05-2023 19:14
230509-xxr5yadg42 709-05-2023 19:14
230509-xxrt6sff7w 809-05-2023 19:14
230509-xxrjeaff7v 809-05-2023 19:14
230509-xxqxwadg39 709-05-2023 19:14
230509-xxql4sff7t 1009-05-2023 19:14
230509-xxqbcadg38 709-05-2023 19:10
230509-xvl6xadf64 10Analysis
-
max time kernel
71s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2023 19:14
Behavioral task
behavioral1
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win10-20230220-en
Behavioral task
behavioral2
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win7-20230220-en
Behavioral task
behavioral3
Sample
trojan-leaks-main/Phsyletric.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral4
Sample
trojan-leaks-main/Potassium.exe
Resource
win10-20230220-en
Behavioral task
behavioral5
Sample
trojan-leaks-main/Potassium.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
trojan-leaks-main/Potassium.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
trojan-leaks-main/Profolent (pass 123).rar
Resource
win10-20230220-en
Behavioral task
behavioral8
Sample
trojan-leaks-main/Profolent (pass 123).rar
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
trojan-leaks-main/Profolent (pass 123).rar
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
trojan-leaks-main/Protactinium.exe
Resource
win10-20230220-en
Behavioral task
behavioral11
Sample
trojan-leaks-main/Protactinium.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
trojan-leaks-main/Protactinium.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral13
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win10-20230220-en
Behavioral task
behavioral14
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win7-20230220-en
Behavioral task
behavioral15
Sample
trojan-leaks-main/QSO J1228+3128.bat
Resource
win10v2004-20230220-en
Behavioral task
behavioral16
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win10-20230220-en
Behavioral task
behavioral17
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
trojan-leaks-main/QSO J1228+3128.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
trojan-leaks-main/Quarknova.rar
Resource
win10-20230220-en
Behavioral task
behavioral20
Sample
trojan-leaks-main/Quarknova.rar
Resource
win7-20230220-en
Behavioral task
behavioral21
Sample
trojan-leaks-main/Quarknova.rar
Resource
win10v2004-20230221-en
Behavioral task
behavioral22
Sample
trojan-leaks-main/Rebcoana README.txt
Resource
win10-20230220-en
Behavioral task
behavioral23
Sample
trojan-leaks-main/Rebcoana README.txt
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
trojan-leaks-main/Rebcoana README.txt
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win10-20230220-en
Behavioral task
behavioral26
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win7-20230220-en
Behavioral task
behavioral27
Sample
trojan-leaks-main/Rebcoana.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
trojan-leaks-main/Ruthenium/PleaseReadme.txt
Resource
win10-20230220-en
Behavioral task
behavioral29
Sample
trojan-leaks-main/Ruthenium/PleaseReadme.txt
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
trojan-leaks-main/Ruthenium/PleaseReadme.txt
Resource
win10v2004-20230220-en
General
-
Target
trojan-leaks-main/QSO J1228+3128.bat
-
Size
129KB
-
MD5
b9b35fbe7121c90f368b13e97bf574a7
-
SHA1
46c6fb9f06fffa4de1aacb73d4a3436664f79a8a
-
SHA256
cae015c5705155cc6e2f49263aacef3bc8e4bfd9c2f29886a077471cd5dac447
-
SHA512
79dcab087efb28845eae2124b559fb5d8188b9d86ae2bf2ac26bcc9a3d4b41acd656e061465900b86cddd0efff35fd987e562ddac5f266fcc2c67ee76a37a9e9
-
SSDEEP
3072:esyMBvZXdYcpRXphFVhyelsqYTsjLXQ83N83qxho7Y:ewRXqcjDFLyPZT83N83Wik
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
Processes:
QSO J1228+3128.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\ntfs.sys QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\drivers\disk.sys QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\drivers\acpi.sys QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\drivers\cdrom.sys QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\drivers\classpnp.sys QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\drivers\ndis.sys QSO J1228+3128.exe -
Sets file execution options in registry 2 TTPs 42 IoCs
Processes:
QSO J1228+3128.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edge.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PartAssit.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Task Manager.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brave.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PartAssit.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Task Manager.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msedge.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp64a.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edge.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe QSO J1228+3128.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe QSO J1228+3128.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe\Debugger = "winlogon.exe" QSO J1228+3128.exe -
Executes dropped EXE 1 IoCs
Processes:
QSO J1228+3128.exepid process 3500 QSO J1228+3128.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
QSO J1228+3128.exedescription ioc process File opened for modification \??\PhysicalDrive0 QSO J1228+3128.exe -
Drops file in System32 directory 5 IoCs
Processes:
QSO J1228+3128.exedescription ioc process File opened for modification C:\Windows\SysWOW64\hal.dll QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\ntoskrnl.exe QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\winload.exe QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\taskmgr.exe QSO J1228+3128.exe File opened for modification C:\Windows\SysWOW64\logonui.exe QSO J1228+3128.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
QSO J1228+3128.exepid process 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe 3500 QSO J1228+3128.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
QSO J1228+3128.exepid process 3500 QSO J1228+3128.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QSO J1228+3128.exedescription pid process Token: SeDebugPrivilege 3500 QSO J1228+3128.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cmd.exedescription pid process target process PID 1236 wrote to memory of 4512 1236 cmd.exe cscript.exe PID 1236 wrote to memory of 4512 1236 cmd.exe cscript.exe PID 1236 wrote to memory of 3500 1236 cmd.exe QSO J1228+3128.exe PID 1236 wrote to memory of 3500 1236 cmd.exe QSO J1228+3128.exe PID 1236 wrote to memory of 3500 1236 cmd.exe QSO J1228+3128.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
QSO J1228+3128.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" QSO J1228+3128.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\QSO J1228+3128.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\cscript.execscript x.js2⤵PID:4512
-
-
C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe"C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe"2⤵
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD52e000614aec93ce7ae46dd2eccbd4909
SHA13729179982898079d2e618dfc5c761032660d2d8
SHA256a7a5732ab9f859e4412b8efc73f32991d702632b37c7b389b6c1cb9c6d3ed0d9
SHA512eb4a886306bd20e334a3dfaddebb18cf9b7cb1b1c40221e6d88a4fbe78b07476ef3f6ffcaace8aa4db986e9b2670f1428c106b400cf46a8e718db6de7ae39732
-
Filesize
4KB
MD579254096081382bdff5fb846e8616500
SHA17e11fb749ab38a179435cdadaf00cbd173c1a9f1
SHA256e13428da7e1e467fbd06a4e44b89b8de357d74b6f7fa203348114a5d08fac749
SHA512900b9a70eaf23e08dd8935d174aba7fc8fb1a80076fccf05a9f8ef023fd225b2923643bf775fb28f022e77e0cd71e6f62510fe538bcfd75242e036a0d965aee2
-
Filesize
448B
MD58eec8704d2a7bc80b95b7460c06f4854
SHA11b34585c1fa7ec0bd0505478ac9dbb8b8d19f326
SHA256aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596
SHA512e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210
-
Filesize
85KB
MD51440570efffe6886be86d1b2986993d2
SHA18104d2543bf2f15748763228c2624c70e787a2e2
SHA25672ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041
SHA51266ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a
-
Filesize
85KB
MD51440570efffe6886be86d1b2986993d2
SHA18104d2543bf2f15748763228c2624c70e787a2e2
SHA25672ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041
SHA51266ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a
-
Filesize
206KB
MD5d5f741b0bb991604d5331de863d49d8b
SHA11c73d032211696e954259b48c3e83029d7852846
SHA256adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d
SHA512a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30
-
Filesize
206KB
MD5d5f741b0bb991604d5331de863d49d8b
SHA11c73d032211696e954259b48c3e83029d7852846
SHA256adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d
SHA512a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30