c7a87592a9864379456a3b0f3c9b2241f77062f49210f1b146fbb83da3bd5a35

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-06-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qwd.exe
Size

28KB
MD5

6062b6931cb4fbe864d2a1953604db94
SHA1

26778d2862ff3f13b614f10c66987346423f6339
SHA256

c7a87592a9864379456a3b0f3c9b2241f77062f49210f1b146fbb83da3bd5a35
SHA512

b13ef1c7069e1c6d67bbad256fc7dc622d0d03d34b56db25571f287b4366637a8b04be2ec55124d2d65449193e68e49522556c10c0a5f3153f9168b119ebbcf6
SSDEEP

768:fRGuY2P0Vo6r7SiAwyrMRjbHEXKVYb/Lg6lrRpaXinbcuyD7Us:pPcVo6r7S/rabHEKqb/LXRpvnouy8s

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1388-69-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1388-71-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 22 IoCs

evasion

pid	Process
624	timeout.exe
1144	timeout.exe
824	timeout.exe
1364	timeout.exe
1628	timeout.exe
584	timeout.exe
1676	timeout.exe
1944	timeout.exe
1260	timeout.exe
860	timeout.exe
1620	timeout.exe
968	timeout.exe
1196	timeout.exe
1496	timeout.exe
1336	timeout.exe
660	timeout.exe
1800	timeout.exe
980	timeout.exe
2020	timeout.exe
316	timeout.exe
1468	timeout.exe
976	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1860	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1540	WMIC.exe
Token: SeSecurityPrivilege	1540	WMIC.exe
Token: SeTakeOwnershipPrivilege	1540	WMIC.exe
Token: SeLoadDriverPrivilege	1540	WMIC.exe
Token: SeSystemProfilePrivilege	1540	WMIC.exe
Token: SeSystemtimePrivilege	1540	WMIC.exe
Token: SeProfSingleProcessPrivilege	1540	WMIC.exe
Token: SeIncBasePriorityPrivilege	1540	WMIC.exe
Token: SeCreatePagefilePrivilege	1540	WMIC.exe
Token: SeBackupPrivilege	1540	WMIC.exe
Token: SeRestorePrivilege	1540	WMIC.exe
Token: SeShutdownPrivilege	1540	WMIC.exe
Token: SeDebugPrivilege	1540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1540	WMIC.exe
Token: SeRemoteShutdownPrivilege	1540	WMIC.exe
Token: SeUndockPrivilege	1540	WMIC.exe
Token: SeManageVolumePrivilege	1540	WMIC.exe
Token: 33	1540	WMIC.exe
Token: 34	1540	WMIC.exe
Token: 35	1540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1540	WMIC.exe
Token: SeSecurityPrivilege	1540	WMIC.exe
Token: SeTakeOwnershipPrivilege	1540	WMIC.exe
Token: SeLoadDriverPrivilege	1540	WMIC.exe
Token: SeSystemProfilePrivilege	1540	WMIC.exe
Token: SeSystemtimePrivilege	1540	WMIC.exe
Token: SeProfSingleProcessPrivilege	1540	WMIC.exe
Token: SeIncBasePriorityPrivilege	1540	WMIC.exe
Token: SeCreatePagefilePrivilege	1540	WMIC.exe
Token: SeBackupPrivilege	1540	WMIC.exe
Token: SeRestorePrivilege	1540	WMIC.exe
Token: SeShutdownPrivilege	1540	WMIC.exe
Token: SeDebugPrivilege	1540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1540	WMIC.exe
Token: SeRemoteShutdownPrivilege	1540	WMIC.exe
Token: SeUndockPrivilege	1540	WMIC.exe
Token: SeManageVolumePrivilege	1540	WMIC.exe
Token: 33	1540	WMIC.exe
Token: 34	1540	WMIC.exe
Token: 35	1540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe
Token: SeSecurityPrivilege	1988	WMIC.exe
Token: SeTakeOwnershipPrivilege	1988	WMIC.exe
Token: SeLoadDriverPrivilege	1988	WMIC.exe
Token: SeSystemProfilePrivilege	1988	WMIC.exe
Token: SeSystemtimePrivilege	1988	WMIC.exe
Token: SeProfSingleProcessPrivilege	1988	WMIC.exe
Token: SeIncBasePriorityPrivilege	1988	WMIC.exe
Token: SeCreatePagefilePrivilege	1988	WMIC.exe
Token: SeBackupPrivilege	1988	WMIC.exe
Token: SeRestorePrivilege	1988	WMIC.exe
Token: SeShutdownPrivilege	1988	WMIC.exe
Token: SeDebugPrivilege	1988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1988	WMIC.exe
Token: SeRemoteShutdownPrivilege	1988	WMIC.exe
Token: SeUndockPrivilege	1988	WMIC.exe
Token: SeManageVolumePrivilege	1988	WMIC.exe
Token: 33	1988	WMIC.exe
Token: 34	1988	WMIC.exe
Token: 35	1988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1988	WMIC.exe
Token: SeSecurityPrivilege	1988	WMIC.exe
Token: SeTakeOwnershipPrivilege	1988	WMIC.exe
Token: SeLoadDriverPrivilege	1988	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1816	1388	qwd.exe	27
PID 1388 wrote to memory of 1816	1388	qwd.exe	27
PID 1388 wrote to memory of 1816	1388	qwd.exe	27
PID 1388 wrote to memory of 1816	1388	qwd.exe	27
PID 1816 wrote to memory of 1164	1816	cmd.exe	29
PID 1816 wrote to memory of 1164	1816	cmd.exe	29
PID 1816 wrote to memory of 1164	1816	cmd.exe	29
PID 1816 wrote to memory of 1164	1816	cmd.exe	29
PID 1816 wrote to memory of 1260	1816	cmd.exe	30
PID 1816 wrote to memory of 1260	1816	cmd.exe	30
PID 1816 wrote to memory of 1260	1816	cmd.exe	30
PID 1816 wrote to memory of 1260	1816	cmd.exe	30
PID 1816 wrote to memory of 660	1816	cmd.exe	31
PID 1816 wrote to memory of 660	1816	cmd.exe	31
PID 1816 wrote to memory of 660	1816	cmd.exe	31
PID 1816 wrote to memory of 660	1816	cmd.exe	31
PID 1816 wrote to memory of 860	1816	cmd.exe	32
PID 1816 wrote to memory of 860	1816	cmd.exe	32
PID 1816 wrote to memory of 860	1816	cmd.exe	32
PID 1816 wrote to memory of 860	1816	cmd.exe	32
PID 1816 wrote to memory of 1628	1816	cmd.exe	33
PID 1816 wrote to memory of 1628	1816	cmd.exe	33
PID 1816 wrote to memory of 1628	1816	cmd.exe	33
PID 1816 wrote to memory of 1628	1816	cmd.exe	33
PID 1816 wrote to memory of 584	1816	cmd.exe	34
PID 1816 wrote to memory of 584	1816	cmd.exe	34
PID 1816 wrote to memory of 584	1816	cmd.exe	34
PID 1816 wrote to memory of 584	1816	cmd.exe	34
PID 1816 wrote to memory of 1676	1816	cmd.exe	35
PID 1816 wrote to memory of 1676	1816	cmd.exe	35
PID 1816 wrote to memory of 1676	1816	cmd.exe	35
PID 1816 wrote to memory of 1676	1816	cmd.exe	35
PID 1816 wrote to memory of 1944	1816	cmd.exe	36
PID 1816 wrote to memory of 1944	1816	cmd.exe	36
PID 1816 wrote to memory of 1944	1816	cmd.exe	36
PID 1816 wrote to memory of 1944	1816	cmd.exe	36
PID 1816 wrote to memory of 1800	1816	cmd.exe	37
PID 1816 wrote to memory of 1800	1816	cmd.exe	37
PID 1816 wrote to memory of 1800	1816	cmd.exe	37
PID 1816 wrote to memory of 1800	1816	cmd.exe	37
PID 1816 wrote to memory of 980	1816	cmd.exe	38
PID 1816 wrote to memory of 980	1816	cmd.exe	38
PID 1816 wrote to memory of 980	1816	cmd.exe	38
PID 1816 wrote to memory of 980	1816	cmd.exe	38
PID 1816 wrote to memory of 2020	1816	cmd.exe	39
PID 1816 wrote to memory of 2020	1816	cmd.exe	39
PID 1816 wrote to memory of 2020	1816	cmd.exe	39
PID 1816 wrote to memory of 2020	1816	cmd.exe	39
PID 1816 wrote to memory of 624	1816	cmd.exe	40
PID 1816 wrote to memory of 624	1816	cmd.exe	40
PID 1816 wrote to memory of 624	1816	cmd.exe	40
PID 1816 wrote to memory of 624	1816	cmd.exe	40
PID 1816 wrote to memory of 968	1816	cmd.exe	41
PID 1816 wrote to memory of 968	1816	cmd.exe	41
PID 1816 wrote to memory of 968	1816	cmd.exe	41
PID 1816 wrote to memory of 968	1816	cmd.exe	41
PID 1816 wrote to memory of 824	1816	cmd.exe	42
PID 1816 wrote to memory of 824	1816	cmd.exe	42
PID 1816 wrote to memory of 824	1816	cmd.exe	42
PID 1816 wrote to memory of 824	1816	cmd.exe	42
PID 1816 wrote to memory of 1196	1816	cmd.exe	43
PID 1816 wrote to memory of 1196	1816	cmd.exe	43
PID 1816 wrote to memory of 1196	1816	cmd.exe	43
PID 1816 wrote to memory of 1196	1816	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\qwd.exe
"C:\Users\Admin\AppData\Local\Temp\qwd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\205D.tmp\qwd.bat" "C:\Users\Admin\AppData\Local\Temp\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1260
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:660
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:860
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1628
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:584
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1676
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1944
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1800
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:980
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2020
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:624
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:968
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:824
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1196
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1620
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1144
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1496
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1336
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1364
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:316
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1468
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct Get "UUID" /value
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct Get "UUID" /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic bios get serialnumber /value
    3⤵
    PID:1652
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic bios get serialnumber /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 KXZDHPUW | findstr [
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\PING.EXE
      ping -4 -n 1 KXZDHPUW
      4⤵
      Runs ping.exe
      PID:1860
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [
      4⤵
      PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\205D.tmp\qwd.bat

Filesize
50KB

MD5
ff48fef8a4227a68563bba2339ea40fb

SHA1
3a890f54b49d03d6c537465c575d4ca6a5602052

SHA256
10b7f48eddcbe79991807f8ec459d5da0d8d732bb6aed64ba8ea60512c61f7cd

SHA512
6d0f9fc8664968d15750d696c678934eda86427318e964e82a1329338cd8280c66009ec88f69ebcf1164108963ce01bcfcf854aa3ac2a1f388e63005b881b7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\205D.tmp\qwd.bat

Filesize
50KB

MD5
ff48fef8a4227a68563bba2339ea40fb

SHA1
3a890f54b49d03d6c537465c575d4ca6a5602052

SHA256
10b7f48eddcbe79991807f8ec459d5da0d8d732bb6aed64ba8ea60512c61f7cd

SHA512
6d0f9fc8664968d15750d696c678934eda86427318e964e82a1329338cd8280c66009ec88f69ebcf1164108963ce01bcfcf854aa3ac2a1f388e63005b881b7fe

Download Submit
memory/1388-69-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1388-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download