85ffe86f99c418417bbf195b6f9d8e6c817d821506cc16a4a3ee8c6392d78620

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 17:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DFYL-GF.exe
Size

3.7MB
MD5

c009f623472ef0cd972a38608ac96db2
SHA1

a693743d627bae297c13cc8de9cf2489d05db65e
SHA256

85ffe86f99c418417bbf195b6f9d8e6c817d821506cc16a4a3ee8c6392d78620
SHA512

0feb25afe86aa5cdf7b4e18d94bd442d0e6fe4edf4ffe7479cb40d93a3ca648aed3b4244f7cb20928251ac7118d177bb4930bb2fd56c250f0ba3ea471fc12c0e
SSDEEP

98304:E7uBtY6oI62jEb678CqJe5VuP1rAuR7tKFecH3LL600BY:E7uo6QSEb67VuP1sudxeL+Y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1668	QuickConnect.exe

Loads dropped DLL 1 IoCs

pid	Process
1400	DFYL-GF.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	QuickConnect.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1668	QuickConnect.exe
1668	QuickConnect.exe
1668	QuickConnect.exe
1668	QuickConnect.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1668	1400	DFYL-GF.exe	27
PID 1400 wrote to memory of 1668	1400	DFYL-GF.exe	27
PID 1400 wrote to memory of 1668	1400	DFYL-GF.exe	27
PID 1400 wrote to memory of 1668	1400	DFYL-GF.exe	27

C:\Users\Admin\AppData\Local\Temp\DFYL-GF.exe
"C:\Users\Admin\AppData\Local\Temp\DFYL-GF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\QuickConnect.exe
  QuickConnect.exe
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Config.ini

Filesize
5KB

MD5
ae1ff9311adc4fff3451389faecee188

SHA1
c979024990f168d7dadc2b47da24a477135b74d2

SHA256
e1e22c19127c1cc48cccb0745cb2ca4d7a09d4e3f6d767ccd2cf777a527c54dc

SHA512
002c787892f549316f9ed2e210ecae5dafc282949a2dbe4e6c2dc9914c33cb302cf924210494d1cb88b0c17dd62a8467de4db8452c582835b47994533d8d757b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE21A5.tmp

Filesize
113B

MD5
fb3a1f78ce37ff1f35edf63fa24b0347

SHA1
2ea7ec23c2d6ede7e9ae9a392b0ef61e1ca1758e

SHA256
1fd76bce24ec63cbd8293f20cafd42759a3ad1d4ac0f4056f9f91e633b730a11

SHA512
e7498efc65f13b3c1cb5fb6f9fa9641bd6ae66268340c405f6c27bcd4025e35802d2c314d4327e33232dac428629ed1f5b1d343cec84cf2792865b41a1ec9c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickConnect.exe

Filesize
3.3MB

MD5
828175cc983c2c70d5ccae91b9a3a510

SHA1
a329e7fd8f465959fa5f075512084e5720d41e51

SHA256
d0d953dda463a19bfc7709fae758f68361255c1bc5c8bc78ef96af40e9e6c51b

SHA512
6c64638831a978f24f4d30375471261cb208608b164af94ca45aac612750e6dbad6809c388674d118734bca78171e83558fda31590c0971af6e324740e942e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickConnect.exe

Filesize
3.3MB

MD5
828175cc983c2c70d5ccae91b9a3a510

SHA1
a329e7fd8f465959fa5f075512084e5720d41e51

SHA256
d0d953dda463a19bfc7709fae758f68361255c1bc5c8bc78ef96af40e9e6c51b

SHA512
6c64638831a978f24f4d30375471261cb208608b164af94ca45aac612750e6dbad6809c388674d118734bca78171e83558fda31590c0971af6e324740e942e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.bin

Filesize
26KB

MD5
10aae67d923fff7d07aba9de5356ead0

SHA1
61253eecc2ed6ad0bdbfd9653b4c88a8074e393b

SHA256
11b29aa311c52916e3f951e168e12f221ba4f2e29da4c24d684d2178301158ba

SHA512
32ac1d0fca5d42bca8aaf2aaf8911e641c749758caae1e977866821bea0ca74d53c5face8dc4cb598960f37de8e320f21b64cba1c1916c8c10eef44ebff55314

Download Submit
C:\Users\Admin\AppData\Local\Temp\quick1x_log.xml

Filesize
1KB

MD5
d43edc1e6fb30f05104e492f2e173b03

SHA1
839704875ce2a33154e90ad1d831f48cfca52c0c

SHA256
4fb5c504de3162b957da2773e9357434e5a4bd8517f7781e68b66a7fcae52d3c

SHA512
690df646d50ef3d9ad9650d355b2c2b0806b3364f74b83426aec8a04498ce1bb848f2f1805a03aa0d48939f7401d0d8672ce34c9621b4797c06faa5fee3d56fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui_properties.js

Filesize
226B

MD5
219de0ceaa85b74b9029ced175a0ea26

SHA1
271c8106d3f69039400a1bc9f19c3c897688399a

SHA256
2337e47913d638ed00c30d70d0ee8fc2d4c54a3dfff60fb7ce3da717e931d40b

SHA512
8b8eb4e551c50e8a0cd7a78d0caa8d4e0b5072ea02771f82fe5d535db5776fd4e82e6c6760d7fc75b5322db44546edb88cc37243263bf603a5d7f1428f118e4d

Download Submit
\Users\Admin\AppData\Local\Temp\QuickConnect.exe

Filesize
3.3MB

MD5
828175cc983c2c70d5ccae91b9a3a510

SHA1
a329e7fd8f465959fa5f075512084e5720d41e51

SHA256
d0d953dda463a19bfc7709fae758f68361255c1bc5c8bc78ef96af40e9e6c51b

SHA512
6c64638831a978f24f4d30375471261cb208608b164af94ca45aac612750e6dbad6809c388674d118734bca78171e83558fda31590c0971af6e324740e942e2a

Download Submit