Overview

overview

8

Static

static

1

QxlWddmDod...64.msi

windows7-x64

8

QxlWddmDod...64.msi

windows10-2004-x64

8

Analysis

  • max time kernel
    135s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2023, 07:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    QxlWddmDod_0.21.0.0_x64.msi

  • Size

    1.2MB

  • MD5

    fd02685fa40e1d7c8340fca32a1ac8fe

  • SHA1

    75c4b8150d866586a53ab171899e3689f263e04b

  • SHA256

    cdc3031a30bbab2c22d0ee211a1ede49cd809ff3b208f7fdd07f5108b0b4c52b

  • SHA512

    3ccdd2095298f65057829ac921e1cc0b53ae0a016a6d116795d5d727d3869e28284565f248ff6e7549538cda8cec4f99f68178332039b959d94cfaeea6029727

  • SSDEEP

    24576:N7a1kxSYYKVIMgWFN/ExN0wh69DUwevflGIWh:JmnYGW0xph69gflG

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 16 IoCs
  • Checks SCSI registry key(s) 3 TTPs 47 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 44 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\QxlWddmDod_0.21.0.0_x64.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4924
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5008
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 0D7C75B0BA4602FEA943028F8F28EDD3
        2⤵
        • Loads dropped DLL
        PID:3956
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding B20BC347567C617EE97CBE70D6D1B1EE E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        PID:780
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3476
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "1" "C:\Program Files\Red Hat\QXL-WDDM-DOD\qxldod.inf" "9" "476b3edbb" "00000000000000B8" "WinSta0\Default" "0000000000000138" "208" "C:\Program Files\Red Hat\QXL-WDDM-DOD"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2592

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\e56fc57.rbs
            Filesize

            698KB

            MD5

            4b77ab134883f58ba0acea6d234a5fed

            SHA1

            adf69eba9d198f58cb4f0165be2ea1c499a8e1cd

            SHA256

            401e4f871e8e624cd373078a854f9d1848d5ab8b8a285b77bf9a3722290ac5fc

            SHA512

            42b920fdeebc89d8449fa1ed5871b77baa7e5f3d4c5a9e34a010412d59cb1a6a40e7b68b76e0bcfc89b3f142ec6bc7b450631288e0400d8557c6405836441817

            Download Submit

          • C:\PROGRA~1\REDHAT~1\QXL-WD~1\qxldod.cat
            Filesize

            9KB

            MD5

            ddce849b2f010068231b2af8a30f4b2e

            SHA1

            7fd76c6bacf7bc85aca9a8a5460d06f48b20300d

            SHA256

            2d8411beb9c58ea117c34c59cecd2c0f8df0780b13120cbf6e07b966c415ba13

            SHA512

            42d338e286868e3b18b672937eab88b8110915c67818c7487906ce9c1001dcebef0278b202c5c38db0490caaa86987b075940d3fcdb4627f42ffb153bf11a275

            Download Submit

          • C:\PROGRA~1\REDHAT~1\QXL-WD~1\qxldod.sys
            Filesize

            100KB

            MD5

            aee3763b71a78ab2ae3d9c0852ca1d1e

            SHA1

            8afd00717a78ec703723826cc5f43b6b5f0153e6

            SHA256

            1b2f517044d5349c6e338c8a035274d1a423c129f376208a8702568812bcff8e

            SHA512

            ad5d93be10befa3369f78407a0ea9e3f3310137d0dc370754f9d3db7878107864c5b971e9bfc62ce4cf0eef49a941b519500dafe4f9dbb6753ab5b3a3b34fa85

            Download Submit

          • C:\Program Files\Red Hat\QXL-WDDM-DOD\qxldod.inf
            Filesize

            2KB

            MD5

            6a37574f102b0b14351d8b8a0c0bffe6

            SHA1

            ad4fbb886840a38b58282de85a05a843b822df26

            SHA256

            ce760456db38bc2f4169cd347ee9bd18129440da6d87274e7e3cae4814b07ab3

            SHA512

            173d5b0192a88009d2f4c960f99221cd5b83ffb2222e2b774ef9e7bfa16d694782a13c1678cd67d5e9de9ed7f9a623e03fe339df814875a8af3d5430536abe98

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B
            Filesize

            1KB

            MD5

            73bc507b9a08db40cf5e786c9147700c

            SHA1

            35c2b2cc42e0ebe76c157dbfbcde947826722444

            SHA256

            32fadfeed09ceecb9b4af9fc411c820911c3c909558107b2d21c1da861326ec4

            SHA512

            d7d2b8d31c85f4d661c65045b3107ad3f4cee17be74df06e77f7451fbf3a7c2399f14c026710ba14ab248a929ad6f15190408323d0eb95f24081c988722d85d2

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_0B8D2F2AE9116DAEFA3CA328805C1EB0
            Filesize

            1KB

            MD5

            7e1642ddbb3f4a77a6f4aacdcc0647db

            SHA1

            8c720adc75ed31addfcf6dcb50586ebf8fd132cb

            SHA256

            2ab5e1d2423388093376f4c903a3a896a238b0ee856a6f3891f3822085d79792

            SHA512

            4bd6604f2295afb3a42d5511c45d9ccc7ee544407599d1e8a2d8e62f9c1a3a7d6570a61744e443d8cb0505c4ec8526b0c4783e8e4959a85b4075e4edf1d8738e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B
            Filesize

            388B

            MD5

            4eb01deceba05c271fb5e110e484769f

            SHA1

            485eaaccb864871682a0e15ad8d6ca163c04ed64

            SHA256

            b82243520c85d39c7a05cbcecd21c9071f4e2bff4f503574eda8a59c806db653

            SHA512

            4716233e7114bde08114df73d3332e682cab5b9f9accfaeedf9b8374ad6c595f31955f26140ae5b3609fb518a08a8137e17d5c23d0edb2ace84a960bb13afe34

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_0B8D2F2AE9116DAEFA3CA328805C1EB0
            Filesize

            390B

            MD5

            124c65565d3e499578fb83a4af0b0a9b

            SHA1

            d756dd97457d727b6358a5294c73dd50ea3fb526

            SHA256

            96a334c09d3c488bd81f971f3f7037b74440be69d49fbf9aaee745c4f7a44d8f

            SHA512

            0638c10f392bae21958560b32ed3305749eb1bb61ae51a0b1113ca50b51ce0da286cfeccb9dbb8247e385bef94a51cf3738f2d071ef3d62661908a73d87bf231

            Download Submit

          • C:\Windows\Installer\MSI11.tmp
            Filesize

            690KB

            MD5

            8deb7d2f91c7392925718b3ba0aade22

            SHA1

            fc8e9b10c83e16eb0af1b6f10128f5c37b389682

            SHA256

            cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

            SHA512

            37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

            Download Submit

          • C:\Windows\Installer\MSI11.tmp
            Filesize

            690KB

            MD5

            8deb7d2f91c7392925718b3ba0aade22

            SHA1

            fc8e9b10c83e16eb0af1b6f10128f5c37b389682

            SHA256

            cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

            SHA512

            37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

            Download Submit

          • C:\Windows\Installer\MSI91B.tmp
            Filesize

            149KB

            MD5

            418322f7be2b68e88a93a048ac75a757

            SHA1

            09739792ff1c30f73dacafbe503630615922b561

            SHA256

            ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

            SHA512

            253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

            Download Submit

          • C:\Windows\Installer\MSI91B.tmp
            Filesize

            149KB

            MD5

            418322f7be2b68e88a93a048ac75a757

            SHA1

            09739792ff1c30f73dacafbe503630615922b561

            SHA256

            ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

            SHA512

            253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

            Download Submit

          • C:\Windows\Installer\MSIFE8A.tmp
            Filesize

            149KB

            MD5

            418322f7be2b68e88a93a048ac75a757

            SHA1

            09739792ff1c30f73dacafbe503630615922b561

            SHA256

            ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

            SHA512

            253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

            Download Submit

          • C:\Windows\Installer\MSIFE8A.tmp
            Filesize

            149KB

            MD5

            418322f7be2b68e88a93a048ac75a757

            SHA1

            09739792ff1c30f73dacafbe503630615922b561

            SHA256

            ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

            SHA512

            253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

            Download Submit

          • C:\Windows\Installer\e56fc56.msi
            Filesize

            1.2MB

            MD5

            fd02685fa40e1d7c8340fca32a1ac8fe

            SHA1

            75c4b8150d866586a53ab171899e3689f263e04b

            SHA256

            cdc3031a30bbab2c22d0ee211a1ede49cd809ff3b208f7fdd07f5108b0b4c52b

            SHA512

            3ccdd2095298f65057829ac921e1cc0b53ae0a016a6d116795d5d727d3869e28284565f248ff6e7549538cda8cec4f99f68178332039b959d94cfaeea6029727

            Download Submit

          • C:\Windows\System32\CatRoot2\dberr.txt
            Filesize

            2KB

            MD5

            b9cc02e84de1b863c1d74d61d4af569e

            SHA1

            2af0c321c5e7866c718d8c832108a7f0e7aaafdd

            SHA256

            26f634f43e5dfbb8149e594ff9b73bbcf080d69c46b9dfd602f7d88861907938

            SHA512

            68816cac2b9a890fd58cda41f4ec8d6794bc715005912f62058beffe7765d81d510e67d20b3061728e620168bf69dec6a2f96363e6216601c61bfd7d44c099e5

            Download Submit

          • C:\Windows\System32\DriverStore\FileRepository\qxldod.inf_amd64_6199f9ecf2339133\qxldod.cat
            Filesize

            9KB

            MD5

            ddce849b2f010068231b2af8a30f4b2e

            SHA1

            7fd76c6bacf7bc85aca9a8a5460d06f48b20300d

            SHA256

            2d8411beb9c58ea117c34c59cecd2c0f8df0780b13120cbf6e07b966c415ba13

            SHA512

            42d338e286868e3b18b672937eab88b8110915c67818c7487906ce9c1001dcebef0278b202c5c38db0490caaa86987b075940d3fcdb4627f42ffb153bf11a275

            Download Submit

          • C:\Windows\System32\DriverStore\FileRepository\qxldod.inf_amd64_6199f9ecf2339133\qxldod.inf
            Filesize

            2KB

            MD5

            6a37574f102b0b14351d8b8a0c0bffe6

            SHA1

            ad4fbb886840a38b58282de85a05a843b822df26

            SHA256

            ce760456db38bc2f4169cd347ee9bd18129440da6d87274e7e3cae4814b07ab3

            SHA512

            173d5b0192a88009d2f4c960f99221cd5b83ffb2222e2b774ef9e7bfa16d694782a13c1678cd67d5e9de9ed7f9a623e03fe339df814875a8af3d5430536abe98

            Download Submit

          • C:\Windows\System32\DriverStore\Temp\{5d60a020-9fa2-5042-bd8f-fc47cf03ec4f}\qxldod.cat
            Filesize

            9KB

            MD5

            ddce849b2f010068231b2af8a30f4b2e

            SHA1

            7fd76c6bacf7bc85aca9a8a5460d06f48b20300d

            SHA256

            2d8411beb9c58ea117c34c59cecd2c0f8df0780b13120cbf6e07b966c415ba13

            SHA512

            42d338e286868e3b18b672937eab88b8110915c67818c7487906ce9c1001dcebef0278b202c5c38db0490caaa86987b075940d3fcdb4627f42ffb153bf11a275

            Download Submit

          • C:\Windows\System32\DriverStore\Temp\{5d60a020-9fa2-5042-bd8f-fc47cf03ec4f}\qxldod.inf
            Filesize

            2KB

            MD5

            6a37574f102b0b14351d8b8a0c0bffe6

            SHA1

            ad4fbb886840a38b58282de85a05a843b822df26

            SHA256

            ce760456db38bc2f4169cd347ee9bd18129440da6d87274e7e3cae4814b07ab3

            SHA512

            173d5b0192a88009d2f4c960f99221cd5b83ffb2222e2b774ef9e7bfa16d694782a13c1678cd67d5e9de9ed7f9a623e03fe339df814875a8af3d5430536abe98

            Download Submit

          • C:\Windows\System32\DriverStore\Temp\{5d60a020-9fa2-5042-bd8f-fc47cf03ec4f}\qxldod.sys
            Filesize

            100KB

            MD5

            aee3763b71a78ab2ae3d9c0852ca1d1e

            SHA1

            8afd00717a78ec703723826cc5f43b6b5f0153e6

            SHA256

            1b2f517044d5349c6e338c8a035274d1a423c129f376208a8702568812bcff8e

            SHA512

            ad5d93be10befa3369f78407a0ea9e3f3310137d0dc370754f9d3db7878107864c5b971e9bfc62ce4cf0eef49a941b519500dafe4f9dbb6753ab5b3a3b34fa85

            Download Submit

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
            Filesize

            11.8MB

            MD5

            44d1b651647eb6503e59b0b03172e213

            SHA1

            d2819e4b1c14b347683952bdd4ccb9454464f88e

            SHA256

            94522fa6348dd77544e9cf6fc080288a015ac57ba9a5595daf7a075cc47dcda9

            SHA512

            2f25a345ad9c34a51bda72f7762c69be43d0ce97e59fa4ab91385e56276389319583ea4b6068dbea8e9e8078c11591439de87440c6d2af04c619ec5dc89f9514

            Download Submit

          • \??\Volume{6aa5dca8-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{580a25f7-4aef-4a47-9c24-2fd6a42ea9cb}_OnDiskSnapshotProp
            Filesize

            5KB

            MD5

            07986796a435aa9acfe79f99eb2d4f85

            SHA1

            d4608c196dd8e61e35d7f06d41bf1beadacb7903

            SHA256

            571e9c7a6ac5228e82055028c5cce6a241917ca32d2e6934f756625f62fb710c

            SHA512

            f70064fd288ea31ff6c478ff71aad78321afc29ef4f965e7745e2cb0f013d9fe8810302258c8ab89c199c011dddcf0e15f5da066089e276f9911d6eb5eb63f6b

            Download Submit