f592c546afc7a069ecb3a721c4c7892c7c70b39bec5148b1528d06c2fc001844

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-06-2023 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023.exe
Size

3.9MB
MD5

90f8859e4d97b25d28f6c1085fc80f53
SHA1

64c1230a9038e8bd66c93e4e0b321336e25bd6cf
SHA256

f592c546afc7a069ecb3a721c4c7892c7c70b39bec5148b1528d06c2fc001844
SHA512

4770a269e6afa24d9b43e99a5bb28855ba87c93f5b593e585dd0d7348f43891004cadfce992cf1c87b4d2783e5295f96f4469fc6f7eddb00ab80d296e136b93d
SSDEEP

98304:O06FOznLo0+Dd6uxcQ9hGPRa/9knyPnuSLlhJS9da+z:O3F6n80W6uGQzb9knyPuMlhJm9z

Score

7^/10

aspackv2 upx

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\ProgramData\Program\qbcore.dll	aspack_v212_v242
\ProgramData\Program\qbcore.dll	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

irsetup.exeun.exeqmbrowser.exe

pid process

1984 irsetup.exe
856 un.exe
1508 qmbrowser.exe

pid	process
1984	irsetup.exe
856	un.exe
1508	qmbrowser.exe

Loads dropped DLL 11 IoCs

Processes:

2023.exeirsetup.exeqmbrowser.exe

pid	process
2040	2023.exe
2040	2023.exe
2040	2023.exe
2040	2023.exe
1984	irsetup.exe
1984	irsetup.exe
1984	irsetup.exe
1984	irsetup.exe
1984	irsetup.exe
1984	irsetup.exe
1508	qmbrowser.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1984-73-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/1984-128-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

irsetup.exe

description	ioc	process
File created	C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\001536-1684426536a917.jpg	irsetup.exe
File opened for modification	C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\001536-1684426536a917.jpg	irsetup.exe
File opened for modification	C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\203429-1618835669941d.jpg	irsetup.exe
File created	C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\203429-1618835669941d.jpg	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

1984 irsetup.exe
1984 irsetup.exe

pid	process
1984	irsetup.exe
1984	irsetup.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2023.exeirsetup.exe

description	pid	process	target process
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 2040 wrote to memory of 1984	2040	2023.exe	irsetup.exe
PID 1984 wrote to memory of 856	1984	irsetup.exe	un.exe
PID 1984 wrote to memory of 856	1984	irsetup.exe	un.exe
PID 1984 wrote to memory of 856	1984	irsetup.exe	un.exe
PID 1984 wrote to memory of 856	1984	irsetup.exe	un.exe
PID 1984 wrote to memory of 1508	1984	irsetup.exe	qmbrowser.exe
PID 1984 wrote to memory of 1508	1984	irsetup.exe	qmbrowser.exe
PID 1984 wrote to memory of 1508	1984	irsetup.exe	qmbrowser.exe
PID 1984 wrote to memory of 1508	1984	irsetup.exe	qmbrowser.exe

C:\Users\Admin\AppData\Local\Temp\2023.exe
"C:\Users\Admin\AppData\Local\Temp\2023.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2023.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\un.exe
"C:\un.exe" x -o+ -pby2022 "C:\ProgramData\data\upx.rar" qbcore.dll qmbrowser.exe WCG.psd "C:\ProgramData\Program\"
3⤵
- Executes dropped EXE
PID:856

C:\ProgramData\Program\qmbrowser.exe
"C:\ProgramData\Program\qmbrowser.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Program\qbcore.dll
Filesize
423KB

MD5
875e6e4d32ab07fb38e3b7e29c68d1c3

SHA1
1ea416a80630f82e1df234822715901d534f9f2d

SHA256
4702b25788318b9add0938ccdac3d6c186e002e1de6b195786ba1748b9eb96b0

SHA512
a7f96d061a3ca45160458b05b94cd2db652035186a14ce1b7b68bee04799d2e2794dcd1bd7205d35b05eea9fd2cab554fccf42da173eea5eee8c8b2f2cf94952

Download Submit
C:\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
C:\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
C:\ProgramData\data\upx.rar
Filesize
985KB

MD5
8bad863f1d62c4e51991067a121320f1

SHA1
ae3ec30067dfb66c390e3be6da7f0db663ef28a0

SHA256
29f379d1083d74aa12475092ac8bd5d13f05e897f6fc1df8bd131d8dd095d376

SHA512
ee63d16a640215798f25c191f39b4f8b34e6e9fdc6a0478e84f30352b0cfc148ceaa8564871dff2ef9c6e12c1632e09f37997674c1d519f9cfbcb25a5dc9c69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\un.exe
Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
C:\un.exe
Filesize
322KB

MD5
5770866edbb1a095d7edc981f37d9d53

SHA1
e067a008a709459a1732e0ab06de277501be076f

SHA256
e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367

SHA512
b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4

Download Submit
\ProgramData\Program\qbcore.dll
Filesize
423KB

MD5
875e6e4d32ab07fb38e3b7e29c68d1c3

SHA1
1ea416a80630f82e1df234822715901d534f9f2d

SHA256
4702b25788318b9add0938ccdac3d6c186e002e1de6b195786ba1748b9eb96b0

SHA512
a7f96d061a3ca45160458b05b94cd2db652035186a14ce1b7b68bee04799d2e2794dcd1bd7205d35b05eea9fd2cab554fccf42da173eea5eee8c8b2f2cf94952

Download Submit
\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
\ProgramData\Program\qmbrowser.exe
Filesize
604KB

MD5
2548136537413334725ff5fbea4cf976

SHA1
c53595dc7886520ec85568b1efea508da5461ec4

SHA256
429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc

SHA512
e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
memory/1508-121-0x00000000742E0000-0x000000007436D000-memory.dmp

Filesize
564KB

Download
memory/1508-122-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1984-112-0x00000000040A0000-0x00000000040B0000-memory.dmp

Filesize
64KB

Download
memory/1984-73-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/1984-128-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2040-69-0x0000000002C00000-0x0000000002FCB000-memory.dmp

Filesize
3.8MB

Download
memory/2040-71-0x0000000002C00000-0x0000000002FCB000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads