7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

Resubmissions

28-04-2024 18:31

240428-w6cwyaec5v 10

21-04-2024 08:57

21-04-2024 05:45

18-04-2024 19:05

18-04-2024 16:34

04-03-2024 18:33

02-03-2024 17:01

02-03-2024 10:05

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bazaar.2020.02/HEUR-Backdoor.Win32.exe
Size

43KB
MD5

f3cbdffbf6bfc26fe09f95e88b188c09
SHA1

e8feb8d7baa1290f591693f068cd6941cb9c878c
SHA256

1c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d
SHA512

bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3
SSDEEP

768:VrgeWGJaj2b2/K6/1CSGIKPlavRzY0nEs3UgLM6KLi0z1xxFopI:ybs4K6dyNPIvRMEEgCnxipI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Stpxrq.exeStpxrq.exe

pid process

1552 Stpxrq.exe
3684 Stpxrq.exe

pid	process
1552	Stpxrq.exe
3684	Stpxrq.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Stpxrq.exe

description	ioc	process
File opened (read-only)	\??\G:	Stpxrq.exe
File opened (read-only)	\??\I:	Stpxrq.exe
File opened (read-only)	\??\L:	Stpxrq.exe
File opened (read-only)	\??\B:	Stpxrq.exe
File opened (read-only)	\??\H:	Stpxrq.exe
File opened (read-only)	\??\V:	Stpxrq.exe
File opened (read-only)	\??\W:	Stpxrq.exe
File opened (read-only)	\??\Y:	Stpxrq.exe
File opened (read-only)	\??\E:	Stpxrq.exe
File opened (read-only)	\??\J:	Stpxrq.exe
File opened (read-only)	\??\M:	Stpxrq.exe
File opened (read-only)	\??\N:	Stpxrq.exe
File opened (read-only)	\??\P:	Stpxrq.exe
File opened (read-only)	\??\Q:	Stpxrq.exe
File opened (read-only)	\??\S:	Stpxrq.exe
File opened (read-only)	\??\T:	Stpxrq.exe
File opened (read-only)	\??\U:	Stpxrq.exe
File opened (read-only)	\??\Z:	Stpxrq.exe
File opened (read-only)	\??\K:	Stpxrq.exe
File opened (read-only)	\??\O:	Stpxrq.exe
File opened (read-only)	\??\R:	Stpxrq.exe
File opened (read-only)	\??\X:	Stpxrq.exe

Creates a Windows Service
persistence

Drops file in System32 directory 12 IoCs

Processes:

Stpxrq.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	Stpxrq.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D	Stpxrq.exe

Drops file in Program Files directory 2 IoCs

Processes:

HEUR-Backdoor.Win32.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe	HEUR-Backdoor.Win32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe	HEUR-Backdoor.Win32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Stpxrq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Stpxrq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Stpxrq.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

Stpxrq.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Stpxrq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Stpxrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Stpxrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Stpxrq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Stpxrq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Stpxrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Stpxrq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Stpxrq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Stpxrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Stpxrq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Stpxrq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	Stpxrq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Stpxrq.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Stpxrq.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Stpxrq.exe

pid process

3684 Stpxrq.exe
3684 Stpxrq.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

HEUR-Backdoor.Win32.exe

pid process

4340 HEUR-Backdoor.Win32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HEUR-Backdoor.Win32.exe

description pid process

Token: SeDebugPrivilege 4340 HEUR-Backdoor.Win32.exe

pid	process
3684	Stpxrq.exe
3684	Stpxrq.exe

pid	process
4340	HEUR-Backdoor.Win32.exe

description	pid	process
Token: SeDebugPrivilege	4340	HEUR-Backdoor.Win32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Stpxrq.exe

description	pid	process	target process
PID 1552 wrote to memory of 3684	1552	Stpxrq.exe	Stpxrq.exe
PID 1552 wrote to memory of 3684	1552	Stpxrq.exe	Stpxrq.exe
PID 1552 wrote to memory of 3684	1552	Stpxrq.exe	Stpxrq.exe

C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.Win32.exe
"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.Win32.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe
"C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe
"C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe" Win7
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe
Filesize
43KB

MD5
f3cbdffbf6bfc26fe09f95e88b188c09

SHA1
e8feb8d7baa1290f591693f068cd6941cb9c878c

SHA256
1c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d

SHA512
bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3

Download Submit
C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe
Filesize
43KB

MD5
f3cbdffbf6bfc26fe09f95e88b188c09

SHA1
e8feb8d7baa1290f591693f068cd6941cb9c878c

SHA256
1c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d

SHA512
bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3

Download Submit
C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe
Filesize
43KB

MD5
f3cbdffbf6bfc26fe09f95e88b188c09

SHA1
e8feb8d7baa1290f591693f068cd6941cb9c878c

SHA256
1c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d

SHA512
bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3

Download Submit