e5b0895524a4f081d1df8dfd7fd639e8bc90c45ad7372e558b176d7e1f528808

General

Target

Impunctual.exe
Size

493KB
MD5

2f0cf25525b6a76143fa33593fd25817
SHA1

3b8f11af87a78fb2934cf86eaca91f3716cdf25f
SHA256

ac3caadfd56d2d2a3df17506a017f80163a3f4f20cee0966854b1d36440e3474
SHA512

a07d67b4f0cc76dc5e68d21e1c9c9e027f1d2d2084dae43a02a655b269baf5f5d0d7ceaf5115012fa33e687ede494050e11181817a90d75e6f49aec7c50b516f
SSDEEP

12288:Kwc+QuYKa2iRnvwKcqc71eaI8YCAv+AVRUj0DgUDssb:KWaw137HImGR4y1

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	1660	cscript.exe
17	1660	cscript.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Impunctual.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Impunctual.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\International\Geo\Nation	Impunctual.exe

Loads dropped DLL 2 IoCs

pid	Process
1524	Impunctual.exe
1660	cscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2596	Impunctual.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1524	Impunctual.exe
2596	Impunctual.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2596	1524	Impunctual.exe	30
PID 2596 set thread context of 1264	2596	Impunctual.exe	22
PID 2596 set thread context of 1660	2596	Impunctual.exe	34
PID 1660 set thread context of 1264	1660	cscript.exe	22

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-607259312-1573743425-2763420908-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
2596	Impunctual.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1524	Impunctual.exe
2596	Impunctual.exe
1264	Explorer.EXE
1264	Explorer.EXE
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe
1660	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	Impunctual.exe
Token: SeDebugPrivilege	1660	cscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1524 wrote to memory of 2596	1524	Impunctual.exe	30
PID 1264 wrote to memory of 1660	1264	Explorer.EXE	34
PID 1264 wrote to memory of 1660	1264	Explorer.EXE	34
PID 1264 wrote to memory of 1660	1264	Explorer.EXE	34
PID 1264 wrote to memory of 1660	1264	Explorer.EXE	34
PID 1660 wrote to memory of 2260	1660	cscript.exe	35
PID 1660 wrote to memory of 2260	1660	cscript.exe	35
PID 1660 wrote to memory of 2260	1660	cscript.exe	35
PID 1660 wrote to memory of 2260	1660	cscript.exe	35
PID 1660 wrote to memory of 2260	1660	cscript.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\Impunctual.exe
  "C:\Users\Admin\AppData\Local\Temp\Impunctual.exe"
  2⤵
  - Checks QEMU agent file
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Local\Temp\Impunctual.exe
    "C:\Users\Admin\AppData\Local\Temp\Impunctual.exe"
    3⤵
    - Checks QEMU agent file
    - Checks computer location settings
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1856
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\600hprlh.zip

Filesize
557KB

MD5
d113a47c6ac162a76d78c817aeb57755

SHA1
f301cea25c2032dd67ffbd21242b209f0ee70ee2

SHA256
bae32df8fa24a3e55bcc1591e09918259173f870090e2ae775509edb8b893eb4

SHA512
ba64e248ee75fa43cae60c1e0815c512f89eabc140b35aa696d428a3f5d328db04981c0f500b78211bbfd9087ba678328c8ad63ac51249062900693a1d399178

Download Submit
\Users\Admin\AppData\Local\Temp\nso3841.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
memory/1264-67-0x0000000006B50000-0x0000000006C45000-memory.dmp

Filesize
980KB

Download
memory/1264-71-0x0000000006B50000-0x0000000006C45000-memory.dmp

Filesize
980KB

Download
memory/1264-69-0x000007FEF25C0000-0x000007FEF25CA000-memory.dmp

Filesize
40KB

Download
memory/1264-68-0x000007FEF6490000-0x000007FEF65D3000-memory.dmp

Filesize
1.3MB

Download
memory/1264-66-0x0000000006B50000-0x0000000006C45000-memory.dmp

Filesize
980KB

Download
memory/1264-62-0x000007FEF6490000-0x000007FEF65D3000-memory.dmp

Filesize
1.3MB

Download
memory/1264-63-0x000007FEF25C0000-0x000007FEF25CA000-memory.dmp

Filesize
40KB

Download
memory/1524-13-0x0000000075270000-0x0000000075276000-memory.dmp

Filesize
24KB

Download
memory/1524-12-0x0000000077B80000-0x0000000077C56000-memory.dmp

Filesize
856KB

Download
memory/1524-11-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/1660-58-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1660-64-0x0000000001D20000-0x0000000001DBE000-memory.dmp

Filesize
632KB

Download
memory/1660-113-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1660-55-0x0000000000070000-0x00000000000A6000-memory.dmp

Filesize
216KB

Download
memory/1660-56-0x0000000000070000-0x00000000000A6000-memory.dmp

Filesize
216KB

Download
memory/1660-111-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1660-59-0x0000000000070000-0x00000000000A6000-memory.dmp

Filesize
216KB

Download
memory/1660-70-0x0000000001D20000-0x0000000001DBE000-memory.dmp

Filesize
632KB

Download
memory/1660-65-0x0000000000070000-0x00000000000A6000-memory.dmp

Filesize
216KB

Download
memory/2596-40-0x0000000001470000-0x00000000072A4000-memory.dmp

Filesize
94.2MB

Download
memory/2596-44-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-52-0x00000000000C0000-0x00000000000DF000-memory.dmp

Filesize
124KB

Download
memory/2596-60-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-42-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-41-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-43-0x0000000037640000-0x0000000037943000-memory.dmp

Filesize
3.0MB

Download
memory/2596-39-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-15-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-16-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2596-57-0x0000000001470000-0x00000000072A4000-memory.dmp

Filesize
94.2MB

Download
memory/2596-14-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-51-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/2596-53-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads