Resubmissions

09-05-2023 19:22

230509-x3fn4adg58 10

09-05-2023 19:14

230509-xxsrgaff7x 10

09-05-2023 19:14

230509-xxr5yadg42 7

09-05-2023 19:14

230509-xxrt6sff7w 8

09-05-2023 19:14

230509-xxrjeaff7v 8

09-05-2023 19:14

230509-xxqxwadg39 7

09-05-2023 19:14

230509-xxql4sff7t 10

09-05-2023 19:14

230509-xxqbcadg38 7

09-05-2023 19:10

230509-xvl6xadf64 10

Analysis

  • max time kernel
    71s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2023 19:14

General

  • Target

    trojan-leaks-main/QSO J1228+3128.bat

  • Size

    129KB

  • MD5

    b9b35fbe7121c90f368b13e97bf574a7

  • SHA1

    46c6fb9f06fffa4de1aacb73d4a3436664f79a8a

  • SHA256

    cae015c5705155cc6e2f49263aacef3bc8e4bfd9c2f29886a077471cd5dac447

  • SHA512

    79dcab087efb28845eae2124b559fb5d8188b9d86ae2bf2ac26bcc9a3d4b41acd656e061465900b86cddd0efff35fd987e562ddac5f266fcc2c67ee76a37a9e9

  • SSDEEP

    3072:esyMBvZXdYcpRXphFVhyelsqYTsjLXQ83N83qxho7Y:ewRXqcjDFLyPZT83N83Wik

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 6 IoCs
  • Sets file execution options in registry 2 TTPs 42 IoCs
  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\QSO J1228+3128.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\system32\cscript.exe
      cscript x.js
      2⤵
        PID:4512
      • C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe
        "C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe"
        2⤵
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:3500

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x

      Filesize

      116KB

      MD5

      2e000614aec93ce7ae46dd2eccbd4909

      SHA1

      3729179982898079d2e618dfc5c761032660d2d8

      SHA256

      a7a5732ab9f859e4412b8efc73f32991d702632b37c7b389b6c1cb9c6d3ed0d9

      SHA512

      eb4a886306bd20e334a3dfaddebb18cf9b7cb1b1c40221e6d88a4fbe78b07476ef3f6ffcaace8aa4db986e9b2670f1428c106b400cf46a8e718db6de7ae39732

    • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x

      Filesize

      4KB

      MD5

      79254096081382bdff5fb846e8616500

      SHA1

      7e11fb749ab38a179435cdadaf00cbd173c1a9f1

      SHA256

      e13428da7e1e467fbd06a4e44b89b8de357d74b6f7fa203348114a5d08fac749

      SHA512

      900b9a70eaf23e08dd8935d174aba7fc8fb1a80076fccf05a9f8ef023fd225b2923643bf775fb28f022e77e0cd71e6f62510fe538bcfd75242e036a0d965aee2

    • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\x.js

      Filesize

      448B

      MD5

      8eec8704d2a7bc80b95b7460c06f4854

      SHA1

      1b34585c1fa7ec0bd0505478ac9dbb8b8d19f326

      SHA256

      aa01b8864b43e92077a106ed3d4656a511f3ba1910fba40c78a32ee6a621d596

      SHA512

      e274b92810e9a30627a65f87448d784967a2fcfbf49858cbe6ccb841f09e0f53fde253ecc1ea0c7de491d8cc56a6cf8c79d1b7c657e72928cfb0479d11035210

    • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\z.zip

      Filesize

      85KB

      MD5

      1440570efffe6886be86d1b2986993d2

      SHA1

      8104d2543bf2f15748763228c2624c70e787a2e2

      SHA256

      72ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041

      SHA512

      66ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a

    • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\z.zip

      Filesize

      85KB

      MD5

      1440570efffe6886be86d1b2986993d2

      SHA1

      8104d2543bf2f15748763228c2624c70e787a2e2

      SHA256

      72ffa65ac56b79466f8e3e1aaec7e19db1764fa40b90fb434a3c82d4277ad041

      SHA512

      66ce98a53ed60ab5713e111e48363bc9fa95f390304d3fdbb48867a4034b065250b7a45a94b78627b80ced645184fad29f4f4b2c02f6298010de190961f76e9a

    • C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe

      Filesize

      206KB

      MD5

      d5f741b0bb991604d5331de863d49d8b

      SHA1

      1c73d032211696e954259b48c3e83029d7852846

      SHA256

      adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d

      SHA512

      a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30

    • C:\Users\Admin\AppData\Roaming\QSO J1228+3128.exe

      Filesize

      206KB

      MD5

      d5f741b0bb991604d5331de863d49d8b

      SHA1

      1c73d032211696e954259b48c3e83029d7852846

      SHA256

      adac36e4faab7c953354b50391774c9b01379cb4445de52f074464c58d751d1d

      SHA512

      a84b1acec34996a5047ff082985510cecf1d381b216e3b02dca2113b16500d417c6f89833ad93a3b1ba96b23cbcc8af5cd5d065fe6235d5273c1c8412538fa30