Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2023 14:38

General

  • Target

    qDu.u.exe

  • Size

    889KB

  • MD5

    03c469798bf1827d989f09f346ce95f7

  • SHA1

    05e491bc1b8fbfbfdca24b565f2464137f30691e

  • SHA256

    de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a

  • SHA512

    d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238

  • SSDEEP

    24576:mjSsPIqS9jL0rJ3n770E9d8qTtE4n4CucuH:GzyH0ZOqTGQ4CDu

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qDu.u.exe
    "C:\Users\Admin\AppData\Local\Temp\qDu.u.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\41f820bc.dll

    Filesize

    8KB

    MD5

    d8f4ab8284f0fda871d6834e24bc6f37

    SHA1

    641948e44a1dcfd0ef68910768eb4b1ea6b49d10

    SHA256

    c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912

    SHA512

    f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0

  • memory/2288-168-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-136-0x0000000077DA4000-0x0000000077DA6000-memory.dmp

    Filesize

    8KB

  • memory/2288-169-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB

  • memory/2288-137-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-138-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-139-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-140-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-141-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-142-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-143-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-144-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-146-0x0000000061E00000-0x0000000061EC1000-memory.dmp

    Filesize

    772KB

  • memory/2288-134-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB

  • memory/2288-133-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB

  • memory/2288-190-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-135-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB

  • memory/2288-171-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-172-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB

  • memory/2288-174-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-180-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-181-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-182-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-183-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-184-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-185-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-186-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-187-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-188-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-189-0x0000000004A80000-0x00000000067C3000-memory.dmp

    Filesize

    29.3MB

  • memory/2288-170-0x0000000076920000-0x0000000076A10000-memory.dmp

    Filesize

    960KB