Overview

overview

7

Static

static

3

Qukp.exe

windows7-x64

7

Qukp.exe

windows10-2004-x64

7

Sharing

Copy URL Twitter E-mail

General

  • Target

    Qukp.exe

  • Size

    443KB

  • Sample

    230513-2wtplacb41

  • MD5

    5d6c95558f08c90419758761bf4ab83d

  • SHA1

    7fd6074f848d83879ce2246f4cfc98266043ddaf

  • SHA256

    7e0912623a9cbce0e8f1bed0da9a8a4bb8605dbf24f6f292831580e13426514c

  • SHA512

    ab136b675a7c3634dfb5ec41b29ae1d0fbbbb070fc08bd43734113f917ad0e792c5dcfd5eaadb3540309f10d90d6cb02145823f537bd567cc7a37ef98f21a6f7

  • SSDEEP

    12288:t2bT6iVvgiDqN1F7eNX284FVdPNsA2jiHT0YN:t2HjVYiGit286dPNsRyT0YN

Score
7/10
persistence

Malware Config

Targets

    • Target

      Qukp.exe

    • Size

      443KB

    • MD5

      5d6c95558f08c90419758761bf4ab83d

    • SHA1

      7fd6074f848d83879ce2246f4cfc98266043ddaf

    • SHA256

      7e0912623a9cbce0e8f1bed0da9a8a4bb8605dbf24f6f292831580e13426514c

    • SHA512

      ab136b675a7c3634dfb5ec41b29ae1d0fbbbb070fc08bd43734113f917ad0e792c5dcfd5eaadb3540309f10d90d6cb02145823f537bd567cc7a37ef98f21a6f7

    • SSDEEP

      12288:t2bT6iVvgiDqN1F7eNX284FVdPNsA2jiHT0YN:t2HjVYiGit286dPNsRyT0YN

    Score
    7/10
    persistence

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks