35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16-08-2023 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
Size

11.6MB
MD5

e80bb093953204ca67fe2897ed524e7b
SHA1

1e5e6bac820babbab57c7ab6611d3ad9accf57e5
SHA256

35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733
SHA512

15d53b04db9e81deeb9a3c3cf1d90a88770242b48e193f0734596d9b8e8d743369c0769890994afe1feead550be8d9ee6528642d4e1bee4df3725b002dee468f
SSDEEP

196608:sj0qkAxQeY9kcv89RZ/NllFIIlWMEaYtbmVMnnjFNAzzTpwWpXCJfpX01tv:8Tc4RJNpIpMla1XMCeXCJWrv

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WindowsQyDriver\ImagePath = "\\??\\C:\\WindowsQyDriver.sys"	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 43 IoCs

pid	Process
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
2384	35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe

C:\Users\Admin\AppData\Local\Temp\35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe
"C:\Users\Admin\AppData\Local\Temp\35331e1ddb29781d8c360cc6b63d03d77bec3f32e7595e39223420f1dc882733.exe"
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259487398\....\TemporaryFile

Filesize
85KB

MD5
6e9cb02c4fb90ac76b11d01d5d5eb934

SHA1
8bb47cf2af65fdd55ee41f36a09dad9a7538f56e

SHA256
c3168a7240d56300cc8c4c72508a8249d36aab630429a0b26d742192fb6f0d35

SHA512
99284e63d148ef6552985185178ead5b264c04783648e65ea8c6eb78a1a4ad79de9898af22b5b0b0ea28ea5ab1b7599d521fcec25080e8f35939d08a2e8b8b50

Download Submit
\Users\Admin\AppData\Local\Temp\Qyuan.dll

Filesize
9.1MB

MD5
06872dc65c0733e9963a025323d80aab

SHA1
c8fe12974c61db5e57126502c304545f77c94f95

SHA256
9592ccce0348afb35e9b5fda72facd369fd2bce7dc333eaea2873abe92870502

SHA512
0264448dba8d3d57b634d59058029ce4bb0898ee4f36061b03612366253e9f601e0fc7e9890799592c17eda07265499f2059b8398179a3b691c23b14193d70fd

Download Submit
memory/2384-908-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-8759-0x0000000000400000-0x0000000000F9A000-memory.dmp

Filesize
11.6MB

Download
memory/2384-868-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-872-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-870-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-874-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-876-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-878-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-880-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-882-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-884-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-886-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-890-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-888-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-892-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-894-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-896-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-898-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-900-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-902-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-904-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-906-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-8773-0x0000000004430000-0x0000000005888000-memory.dmp

Filesize
20.3MB

Download
memory/2384-865-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-914-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-918-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-916-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-912-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-920-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-922-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-924-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-926-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-2601-0x00000000011B0000-0x00000000012B0000-memory.dmp

Filesize
1024KB

Download
memory/2384-2602-0x0000000002C70000-0x0000000002DF1000-memory.dmp

Filesize
1.5MB

Download
memory/2384-5564-0x00000000011B0000-0x00000000012B0000-memory.dmp

Filesize
1024KB

Download
memory/2384-8742-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-8743-0x0000000002E00000-0x0000000002F01000-memory.dmp

Filesize
1.0MB

Download
memory/2384-8744-0x0000000000FA0000-0x0000000001041000-memory.dmp

Filesize
644KB

Download
memory/2384-8747-0x0000000000400000-0x0000000000F9A000-memory.dmp

Filesize
11.6MB

Download
memory/2384-866-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-8757-0x0000000004430000-0x0000000005888000-memory.dmp

Filesize
20.3MB

Download
memory/2384-910-0x0000000002B30000-0x0000000002C41000-memory.dmp

Filesize
1.1MB

Download
memory/2384-8760-0x0000000004430000-0x0000000005888000-memory.dmp

Filesize
20.3MB

Download
memory/2384-55-0x0000000077520000-0x0000000077567000-memory.dmp

Filesize
284KB

Download
memory/2384-8772-0x0000000004430000-0x0000000005888000-memory.dmp

Filesize
20.3MB

Download
memory/2384-54-0x0000000000400000-0x0000000000F9A000-memory.dmp

Filesize
11.6MB

Download
memory/2384-8775-0x0000000000400000-0x0000000000F9A000-memory.dmp

Filesize
11.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads