c7a87592a9864379456a3b0f3c9b2241f77062f49210f1b146fbb83da3bd5a35

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qwd.exe
Size

28KB
MD5

6062b6931cb4fbe864d2a1953604db94
SHA1

26778d2862ff3f13b614f10c66987346423f6339
SHA256

c7a87592a9864379456a3b0f3c9b2241f77062f49210f1b146fbb83da3bd5a35
SHA512

b13ef1c7069e1c6d67bbad256fc7dc622d0d03d34b56db25571f287b4366637a8b04be2ec55124d2d65449193e68e49522556c10c0a5f3153f9168b119ebbcf6
SSDEEP

768:fRGuY2P0Vo6r7SiAwyrMRjbHEXKVYb/Lg6lrRpaXinbcuyD7Us:pPcVo6r7S/rabHEKqb/LXRpvnouy8s

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	qwd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1656-134-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/1656-138-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 22 IoCs

evasion

pid	Process
328	timeout.exe
4620	timeout.exe
4108	timeout.exe
2400	timeout.exe
4820	timeout.exe
4048	timeout.exe
220	timeout.exe
2780	timeout.exe
4272	timeout.exe
1840	timeout.exe
4896	timeout.exe
4324	timeout.exe
984	timeout.exe
2432	timeout.exe
3192	timeout.exe
3748	timeout.exe
4180	timeout.exe
3856	timeout.exe
4352	timeout.exe
1548	timeout.exe
3784	timeout.exe
236	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2428	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3476	WMIC.exe
Token: SeSecurityPrivilege	3476	WMIC.exe
Token: SeTakeOwnershipPrivilege	3476	WMIC.exe
Token: SeLoadDriverPrivilege	3476	WMIC.exe
Token: SeSystemProfilePrivilege	3476	WMIC.exe
Token: SeSystemtimePrivilege	3476	WMIC.exe
Token: SeProfSingleProcessPrivilege	3476	WMIC.exe
Token: SeIncBasePriorityPrivilege	3476	WMIC.exe
Token: SeCreatePagefilePrivilege	3476	WMIC.exe
Token: SeBackupPrivilege	3476	WMIC.exe
Token: SeRestorePrivilege	3476	WMIC.exe
Token: SeShutdownPrivilege	3476	WMIC.exe
Token: SeDebugPrivilege	3476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3476	WMIC.exe
Token: SeRemoteShutdownPrivilege	3476	WMIC.exe
Token: SeUndockPrivilege	3476	WMIC.exe
Token: SeManageVolumePrivilege	3476	WMIC.exe
Token: 33	3476	WMIC.exe
Token: 34	3476	WMIC.exe
Token: 35	3476	WMIC.exe
Token: 36	3476	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3476	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2060	1656	qwd.exe	84
PID 1656 wrote to memory of 2060	1656	qwd.exe	84
PID 1656 wrote to memory of 2060	1656	qwd.exe	84
PID 2060 wrote to memory of 1744	2060	cmd.exe	87
PID 2060 wrote to memory of 1744	2060	cmd.exe	87
PID 2060 wrote to memory of 1744	2060	cmd.exe	87
PID 2060 wrote to memory of 3192	2060	cmd.exe	88
PID 2060 wrote to memory of 3192	2060	cmd.exe	88
PID 2060 wrote to memory of 3192	2060	cmd.exe	88
PID 2060 wrote to memory of 984	2060	cmd.exe	89
PID 2060 wrote to memory of 984	2060	cmd.exe	89
PID 2060 wrote to memory of 984	2060	cmd.exe	89
PID 2060 wrote to memory of 4048	2060	cmd.exe	90
PID 2060 wrote to memory of 4048	2060	cmd.exe	90
PID 2060 wrote to memory of 4048	2060	cmd.exe	90
PID 2060 wrote to memory of 3784	2060	cmd.exe	91
PID 2060 wrote to memory of 3784	2060	cmd.exe	91
PID 2060 wrote to memory of 3784	2060	cmd.exe	91
PID 2060 wrote to memory of 2432	2060	cmd.exe	92
PID 2060 wrote to memory of 2432	2060	cmd.exe	92
PID 2060 wrote to memory of 2432	2060	cmd.exe	92
PID 2060 wrote to memory of 236	2060	cmd.exe	93
PID 2060 wrote to memory of 236	2060	cmd.exe	93
PID 2060 wrote to memory of 236	2060	cmd.exe	93
PID 2060 wrote to memory of 220	2060	cmd.exe	94
PID 2060 wrote to memory of 220	2060	cmd.exe	94
PID 2060 wrote to memory of 220	2060	cmd.exe	94
PID 2060 wrote to memory of 328	2060	cmd.exe	95
PID 2060 wrote to memory of 328	2060	cmd.exe	95
PID 2060 wrote to memory of 328	2060	cmd.exe	95
PID 2060 wrote to memory of 4180	2060	cmd.exe	96
PID 2060 wrote to memory of 4180	2060	cmd.exe	96
PID 2060 wrote to memory of 4180	2060	cmd.exe	96
PID 2060 wrote to memory of 2780	2060	cmd.exe	97
PID 2060 wrote to memory of 2780	2060	cmd.exe	97
PID 2060 wrote to memory of 2780	2060	cmd.exe	97
PID 2060 wrote to memory of 3856	2060	cmd.exe	98
PID 2060 wrote to memory of 3856	2060	cmd.exe	98
PID 2060 wrote to memory of 3856	2060	cmd.exe	98
PID 2060 wrote to memory of 4352	2060	cmd.exe	99
PID 2060 wrote to memory of 4352	2060	cmd.exe	99
PID 2060 wrote to memory of 4352	2060	cmd.exe	99
PID 2060 wrote to memory of 4620	2060	cmd.exe	100
PID 2060 wrote to memory of 4620	2060	cmd.exe	100
PID 2060 wrote to memory of 4620	2060	cmd.exe	100
PID 2060 wrote to memory of 4272	2060	cmd.exe	101
PID 2060 wrote to memory of 4272	2060	cmd.exe	101
PID 2060 wrote to memory of 4272	2060	cmd.exe	101
PID 2060 wrote to memory of 1548	2060	cmd.exe	102
PID 2060 wrote to memory of 1548	2060	cmd.exe	102
PID 2060 wrote to memory of 1548	2060	cmd.exe	102
PID 2060 wrote to memory of 1840	2060	cmd.exe	103
PID 2060 wrote to memory of 1840	2060	cmd.exe	103
PID 2060 wrote to memory of 1840	2060	cmd.exe	103
PID 2060 wrote to memory of 4108	2060	cmd.exe	104
PID 2060 wrote to memory of 4108	2060	cmd.exe	104
PID 2060 wrote to memory of 4108	2060	cmd.exe	104
PID 2060 wrote to memory of 2400	2060	cmd.exe	105
PID 2060 wrote to memory of 2400	2060	cmd.exe	105
PID 2060 wrote to memory of 2400	2060	cmd.exe	105
PID 2060 wrote to memory of 4896	2060	cmd.exe	106
PID 2060 wrote to memory of 4896	2060	cmd.exe	106
PID 2060 wrote to memory of 4896	2060	cmd.exe	106
PID 2060 wrote to memory of 4324	2060	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\qwd.exe
"C:\Users\Admin\AppData\Local\Temp\qwd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\82D1.tmp\qwd.bat" "C:\Users\Admin\AppData\Local\Temp\""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3192
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:984
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4048
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3784
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2432
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:236
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:220
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:328
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4180
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2780
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3856
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4352
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4620
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4272
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1548
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1840
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4108
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4896
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4324
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4820
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /t 0 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct Get "UUID" /value
    3⤵
    PID:4468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct Get "UUID" /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic bios get serialnumber /value
    3⤵
    PID:1388
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic bios get serialnumber /value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -4 -n 1 TPAVZECK | findstr [
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\PING.EXE
      ping -4 -n 1 TPAVZECK
      4⤵
      Runs ping.exe
      PID:2428
  - - C:\Windows\SysWOW64\findstr.exe
      findstr [
      4⤵
      PID:3904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82D1.tmp\qwd.bat

Filesize
50KB

MD5
ff48fef8a4227a68563bba2339ea40fb

SHA1
3a890f54b49d03d6c537465c575d4ca6a5602052

SHA256
10b7f48eddcbe79991807f8ec459d5da0d8d732bb6aed64ba8ea60512c61f7cd

SHA512
6d0f9fc8664968d15750d696c678934eda86427318e964e82a1329338cd8280c66009ec88f69ebcf1164108963ce01bcfcf854aa3ac2a1f388e63005b881b7fe

Download Submit
memory/1656-134-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1656-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download