Analysis
-
max time kernel
90s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 07:34
Static task
static1
Behavioral task
behavioral1
Sample
2023.exe
Resource
win7-20230220-en
General
-
Target
2023.exe
-
Size
3.9MB
-
MD5
90f8859e4d97b25d28f6c1085fc80f53
-
SHA1
64c1230a9038e8bd66c93e4e0b321336e25bd6cf
-
SHA256
f592c546afc7a069ecb3a721c4c7892c7c70b39bec5148b1528d06c2fc001844
-
SHA512
4770a269e6afa24d9b43e99a5bb28855ba87c93f5b593e585dd0d7348f43891004cadfce992cf1c87b4d2783e5295f96f4469fc6f7eddb00ab80d296e136b93d
-
SSDEEP
98304:O06FOznLo0+Dd6uxcQ9hGPRa/9knyPnuSLlhJS9da+z:O3F6n80W6uGQzb9knyPuMlhJm9z
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\Program\qbcore.dll aspack_v212_v242 C:\ProgramData\Program\qbcore.dll aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2023.exeirsetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 2023.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation irsetup.exe -
Executes dropped EXE 3 IoCs
Processes:
irsetup.exeun.exeqmbrowser.exepid process 1120 irsetup.exe 4696 un.exe 632 qmbrowser.exe -
Loads dropped DLL 2 IoCs
Processes:
irsetup.exeqmbrowser.exepid process 1120 irsetup.exe 632 qmbrowser.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx behavioral2/memory/1120-167-0x0000000000400000-0x00000000007CB000-memory.dmp upx behavioral2/memory/1120-201-0x0000000000400000-0x00000000007CB000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
Processes:
irsetup.exedescription ioc process File opened for modification C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\203429-1618835669941d.jpg irsetup.exe File created C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\203429-1618835669941d.jpg irsetup.exe File created C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\001536-1684426536a917.jpg irsetup.exe File opened for modification C:\Program Files (x86)\²âÊÔ²úÆ·Ãû\001536-1684426536a917.jpg irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4960 632 WerFault.exe qmbrowser.exe 4844 632 WerFault.exe qmbrowser.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
irsetup.exeun.exepid process 1120 irsetup.exe 1120 irsetup.exe 1120 irsetup.exe 4696 un.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2023.exeirsetup.exedescription pid process target process PID 1908 wrote to memory of 1120 1908 2023.exe irsetup.exe PID 1908 wrote to memory of 1120 1908 2023.exe irsetup.exe PID 1908 wrote to memory of 1120 1908 2023.exe irsetup.exe PID 1120 wrote to memory of 4696 1120 irsetup.exe un.exe PID 1120 wrote to memory of 4696 1120 irsetup.exe un.exe PID 1120 wrote to memory of 632 1120 irsetup.exe qmbrowser.exe PID 1120 wrote to memory of 632 1120 irsetup.exe qmbrowser.exe PID 1120 wrote to memory of 632 1120 irsetup.exe qmbrowser.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2023.exe"C:\Users\Admin\AppData\Local\Temp\2023.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\2023.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1013461898-3711306144-4198452673-1000"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\un.exe"C:\un.exe" x -o+ -pby2022 "C:\ProgramData\data\upx.rar" qbcore.dll qmbrowser.exe WCG.psd "C:\ProgramData\Program\"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4696 -
C:\ProgramData\Program\qmbrowser.exe"C:\ProgramData\Program\qmbrowser.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 4524⤵
- Program crash
PID:4960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 4724⤵
- Program crash
PID:4844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 632 -ip 6321⤵PID:4876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 632 -ip 6321⤵PID:4180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Program\qbcore.dllFilesize
423KB
MD5875e6e4d32ab07fb38e3b7e29c68d1c3
SHA11ea416a80630f82e1df234822715901d534f9f2d
SHA2564702b25788318b9add0938ccdac3d6c186e002e1de6b195786ba1748b9eb96b0
SHA512a7f96d061a3ca45160458b05b94cd2db652035186a14ce1b7b68bee04799d2e2794dcd1bd7205d35b05eea9fd2cab554fccf42da173eea5eee8c8b2f2cf94952
-
C:\ProgramData\Program\qbcore.dllFilesize
423KB
MD5875e6e4d32ab07fb38e3b7e29c68d1c3
SHA11ea416a80630f82e1df234822715901d534f9f2d
SHA2564702b25788318b9add0938ccdac3d6c186e002e1de6b195786ba1748b9eb96b0
SHA512a7f96d061a3ca45160458b05b94cd2db652035186a14ce1b7b68bee04799d2e2794dcd1bd7205d35b05eea9fd2cab554fccf42da173eea5eee8c8b2f2cf94952
-
C:\ProgramData\Program\qmbrowser.exeFilesize
604KB
MD52548136537413334725ff5fbea4cf976
SHA1c53595dc7886520ec85568b1efea508da5461ec4
SHA256429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc
SHA512e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372
-
C:\ProgramData\Program\qmbrowser.exeFilesize
604KB
MD52548136537413334725ff5fbea4cf976
SHA1c53595dc7886520ec85568b1efea508da5461ec4
SHA256429b88aae789c87087c213654531e0eaea18694de3897ae97b51eb484b02cbdc
SHA512e796b79ba4747b9ced68b5879441b4f4d66fd42c0eca2499a6ab08428f465b813fb9691e498c907cdf6ef6bfdf7bc2c8e740c604d20ac961a729bc7fa2d25372
-
C:\ProgramData\data\upx.rarFilesize
985KB
MD58bad863f1d62c4e51991067a121320f1
SHA1ae3ec30067dfb66c390e3be6da7f0db663ef28a0
SHA25629f379d1083d74aa12475092ac8bd5d13f05e897f6fc1df8bd131d8dd095d376
SHA512ee63d16a640215798f25c191f39b4f8b34e6e9fdc6a0478e84f30352b0cfc148ceaa8564871dff2ef9c6e12c1632e09f37997674c1d519f9cfbcb25a5dc9c69d
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD5dec931e86140139380ea0df57cd132b6
SHA1b717fd548382064189c16cb94dda28b1967a5712
SHA2565ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9
SHA51214d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD5dec931e86140139380ea0df57cd132b6
SHA1b717fd548382064189c16cb94dda28b1967a5712
SHA2565ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9
SHA51214d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeFilesize
1.3MB
MD5dec931e86140139380ea0df57cd132b6
SHA1b717fd548382064189c16cb94dda28b1967a5712
SHA2565ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9
SHA51214d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
318KB
MD5b5fc476c1bf08d5161346cc7dd4cb0ba
SHA1280fac9cf711d93c95f6b80ac97d89cf5853c096
SHA25612cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650
SHA51217fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllFilesize
318KB
MD5b5fc476c1bf08d5161346cc7dd4cb0ba
SHA1280fac9cf711d93c95f6b80ac97d89cf5853c096
SHA25612cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650
SHA51217fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697
-
C:\un.exeFilesize
322KB
MD55770866edbb1a095d7edc981f37d9d53
SHA1e067a008a709459a1732e0ab06de277501be076f
SHA256e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367
SHA512b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4
-
C:\un.exeFilesize
322KB
MD55770866edbb1a095d7edc981f37d9d53
SHA1e067a008a709459a1732e0ab06de277501be076f
SHA256e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367
SHA512b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4
-
C:\un.exeFilesize
322KB
MD55770866edbb1a095d7edc981f37d9d53
SHA1e067a008a709459a1732e0ab06de277501be076f
SHA256e4e8ac5179f1dff784e64c0299a9c39917352a06806ebba2de15f8d129275367
SHA512b88c6817ef6d4301d0a99866c884627fbeaf20aee65cbd3ac519cb1e8880147710cdb19e853b2bd8b712a31efc57040c189d198ef361c4c2e11f377c42deaed4
-
memory/632-194-0x0000000073030000-0x00000000730BD000-memory.dmpFilesize
564KB
-
memory/632-195-0x0000000002BB0000-0x0000000002C10000-memory.dmpFilesize
384KB
-
memory/1120-167-0x0000000000400000-0x00000000007CB000-memory.dmpFilesize
3.8MB
-
memory/1120-201-0x0000000000400000-0x00000000007CB000-memory.dmpFilesize
3.8MB