Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2023 14:38
Behavioral task
behavioral1
Sample
VSWQBBUITB.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
VSWQBBUITB.dll
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
qDu.u.exe
Resource
win7-20230712-en
General
-
Target
qDu.u.exe
-
Size
889KB
-
MD5
03c469798bf1827d989f09f346ce95f7
-
SHA1
05e491bc1b8fbfbfdca24b565f2464137f30691e
-
SHA256
de87c8713fac002b0b0a0f9b02c4e3ebcccf65282a22f5ab5912a9da00f35c2a
-
SHA512
d95aed75dd7b2470d4e5052b4b494ad9efbb9eee42c63cf0b38f1d0275ff7b1bb8ee4cbc69d1bb219dbbf33ad3b01cea97f87fa8fe69be7f943aa4417a603238
-
SSDEEP
24576:mjSsPIqS9jL0rJ3n770E9d8qTtE4n4CucuH:GzyH0ZOqTGQ4CDu
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ qDu.u.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion qDu.u.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion qDu.u.exe -
Loads dropped DLL 1 IoCs
pid Process 2288 qDu.u.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/memory/2288-137-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-138-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-139-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-140-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-141-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-142-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-143-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-144-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-168-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-171-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-174-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-180-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-181-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-182-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-183-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-184-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-185-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-186-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-187-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-188-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-189-0x0000000004A80000-0x00000000067C3000-memory.dmp themida behavioral4/memory/2288-190-0x0000000004A80000-0x00000000067C3000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA qDu.u.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2288 qDu.u.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use FormSuggest = "No" qDu.u.exe Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest Passwords = "No" qDu.u.exe Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FormSuggest PW Ask = "No" qDu.u.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 51 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2288 qDu.u.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2288 qDu.u.exe 2288 qDu.u.exe 2288 qDu.u.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\qDu.u.exe"C:\Users\Admin\AppData\Local\Temp\qDu.u.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5d8f4ab8284f0fda871d6834e24bc6f37
SHA1641948e44a1dcfd0ef68910768eb4b1ea6b49d10
SHA256c09d0790e550694350b94ca6b077c54f983c135fab8990df5a75462804150912
SHA512f65a916041846718306567d33273c3d0f41e0b26589cf6db46ec6c788ba0d87a708c94979d3bd0609142badca9e7129690b92169a07dcf7cd8c66698827d2fa0