53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN DOCUMENTS.exe
Size

392KB
MD5

68fa6c054b7a55d1943b2449ff295dab
SHA1

9e58a4e2c460ad9454a1ab0b5839bbb20dd34fe5
SHA256

53f8211db510203634da93d5f2616ead5784031d1fd9d1ad245e25719fa974a9
SHA512

0983329d8e2e1a4f18659b2d3bb4333fff56e657e91c298a0571963486d92ee9ae88e0aedf297f8f359abd7f1ebdf9e322d1a39c3d0e539970f101f1f3cc9c6f
SSDEEP

12288:BnPdwRimRrvKyHLy+xm3wGRiagRIlbSGx:9PdwRHRjKyrdoDqux

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	apqfulp.exe

Executes dropped EXE 2 IoCs

pid	Process
3080	apqfulp.exe
2444	apqfulp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 2444	3080	apqfulp.exe	87
PID 2444 set thread context of 3112	2444	apqfulp.exe	45
PID 2444 set thread context of 4680	2444	apqfulp.exe	99
PID 4680 set thread context of 3112	4680	control.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
2444	apqfulp.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3112	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
3080	apqfulp.exe
2444	apqfulp.exe
3112	Explorer.EXE
3112	Explorer.EXE
4680	control.exe
4680	control.exe
4680	control.exe
4680	control.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	apqfulp.exe
Token: SeDebugPrivilege	4680	control.exe
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE
Token: SeShutdownPrivilege	3112	Explorer.EXE
Token: SeCreatePagefilePrivilege	3112	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3112	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3080	3204	SCAN DOCUMENTS.exe	86
PID 3204 wrote to memory of 3080	3204	SCAN DOCUMENTS.exe	86
PID 3204 wrote to memory of 3080	3204	SCAN DOCUMENTS.exe	86
PID 3080 wrote to memory of 2444	3080	apqfulp.exe	87
PID 3080 wrote to memory of 2444	3080	apqfulp.exe	87
PID 3080 wrote to memory of 2444	3080	apqfulp.exe	87
PID 3080 wrote to memory of 2444	3080	apqfulp.exe	87
PID 3112 wrote to memory of 4680	3112	Explorer.EXE	99
PID 3112 wrote to memory of 4680	3112	Explorer.EXE	99
PID 3112 wrote to memory of 4680	3112	Explorer.EXE	99
PID 4680 wrote to memory of 3408	4680	control.exe	100
PID 4680 wrote to memory of 3408	4680	control.exe	100
PID 4680 wrote to memory of 3408	4680	control.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\SCAN DOCUMENTS.exe
  "C:\Users\Admin\AppData\Local\Temp\SCAN DOCUMENTS.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\apqfulp.exe
    "C:\Users\Admin\AppData\Local\Temp\apqfulp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Users\Admin\AppData\Local\Temp\apqfulp.exe
      "C:\Users\Admin\AppData\Local\Temp\apqfulp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apqfulp.exe

Filesize
226KB

MD5
27a5fe27f07c429f9b25b17dbafead34

SHA1
2b30df643ef7472ef9b2c48d36b06bb6060969a9

SHA256
c7101e1f8f5d21e5371bcbbec68c24be274b206ac727ddaf721155c28cf1c93b

SHA512
071f67b6611842c33ba95c548ce4dcf006c95c1333228879fe4c15e05d5c68df4835a33289aa1a2adec75a6b918d3a052e37cefa65d129447e8420b19fab810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\apqfulp.exe

Filesize
226KB

MD5
27a5fe27f07c429f9b25b17dbafead34

SHA1
2b30df643ef7472ef9b2c48d36b06bb6060969a9

SHA256
c7101e1f8f5d21e5371bcbbec68c24be274b206ac727ddaf721155c28cf1c93b

SHA512
071f67b6611842c33ba95c548ce4dcf006c95c1333228879fe4c15e05d5c68df4835a33289aa1a2adec75a6b918d3a052e37cefa65d129447e8420b19fab810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\apqfulp.exe

Filesize
226KB

MD5
27a5fe27f07c429f9b25b17dbafead34

SHA1
2b30df643ef7472ef9b2c48d36b06bb6060969a9

SHA256
c7101e1f8f5d21e5371bcbbec68c24be274b206ac727ddaf721155c28cf1c93b

SHA512
071f67b6611842c33ba95c548ce4dcf006c95c1333228879fe4c15e05d5c68df4835a33289aa1a2adec75a6b918d3a052e37cefa65d129447e8420b19fab810e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhirt.clk

Filesize
249KB

MD5
9b801df78a3277bde6d1311df2347bf6

SHA1
49b4224f0e22809b9669b9fe4114474babfe0036

SHA256
1bde362545c83da9d2227cadd99666e99decdc91a6918a0b6ae14ed952c1a332

SHA512
ec501296a7aa12ec334a9a1b64f2222983e76c3c2aebb5497bee04147eda31fa4f220e527beb72c246bdd3fd3a057385ba118194e7ecb45cc8aee41b3745c4b1

Download Submit
memory/2444-10-0x00000000011F0000-0x000000000153A000-memory.dmp

Filesize
3.3MB

Download
memory/2444-7-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-18-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2444-14-0x0000000000F10000-0x0000000000F2B000-memory.dmp

Filesize
108KB

Download
memory/2444-19-0x0000000000F10000-0x0000000000F2B000-memory.dmp

Filesize
108KB

Download
memory/3080-5-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download
memory/3112-51-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/3112-46-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-70-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-66-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-69-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-22-0x000000000D790000-0x000000000E91A000-memory.dmp

Filesize
17.5MB

Download
memory/3112-67-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-24-0x0000000008CE0000-0x0000000008DB1000-memory.dmp

Filesize
836KB

Download
memory/3112-25-0x0000000008CE0000-0x0000000008DB1000-memory.dmp

Filesize
836KB

Download
memory/3112-63-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-64-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-29-0x0000000008CE0000-0x0000000008DB1000-memory.dmp

Filesize
836KB

Download
memory/3112-35-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-36-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-37-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3112-38-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-39-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-40-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-41-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-42-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-44-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-65-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-47-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-48-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/3112-49-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-50-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-15-0x000000000D790000-0x000000000E91A000-memory.dmp

Filesize
17.5MB

Download
memory/3112-52-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-54-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/3112-53-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-56-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-58-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-60-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-61-0x0000000003220000-0x0000000003230000-memory.dmp

Filesize
64KB

Download
memory/3112-62-0x0000000003450000-0x0000000003460000-memory.dmp

Filesize
64KB

Download
memory/4680-17-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/4680-27-0x0000000002620000-0x00000000026BA000-memory.dmp

Filesize
616KB

Download
memory/4680-26-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/4680-23-0x0000000002620000-0x00000000026BA000-memory.dmp

Filesize
616KB

Download
memory/4680-21-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download
memory/4680-20-0x0000000002880000-0x0000000002BCA000-memory.dmp

Filesize
3.3MB

Download
memory/4680-16-0x0000000000840000-0x0000000000876000-memory.dmp

Filesize
216KB

Download