cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c

General

Target

cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe
Size

369KB
MD5

622a52a8da7548f6949e6934455ff897
SHA1

42853f4f1ad3333d98c4f89101be973bde6088b8
SHA256

cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c
SHA512

0909339ac52b2f14f65125ff559f79be43fb855e7677f5be8cb975fdea2506813dd26bcff7a8e363dab5ae4ca7141bdcb5b9f1c8db970a4a279ed13f5ad4aee9
SSDEEP

6144:NnPdudwD2DK+I9mjLYWFdayTQJ0daw9LGx7b1gtS/eKIShYV+QjbiaIAX3Ads4s/:NnPdC2+I0np/ddy1jHISyV+4AGr

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2548	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation	iqdvwadz.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	iqdvwadz.exe
2532	iqdvwadz.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe
2504	iqdvwadz.exe
2548	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2532	2504	iqdvwadz.exe	30
PID 2532 set thread context of 2776	2532	iqdvwadz.exe	22
PID 2532 set thread context of 2776	2532	iqdvwadz.exe	22
PID 2532 set thread context of 2548	2532	iqdvwadz.exe	33
PID 2548 set thread context of 1268	2548	rundll32.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3750544865-3773649541-1858556521-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1268	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
2504	iqdvwadz.exe
2532	iqdvwadz.exe
2532	iqdvwadz.exe
2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe
2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe
2548	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	iqdvwadz.exe
Token: SeDebugPrivilege	2548	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2504	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	29
PID 2776 wrote to memory of 2504	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	29
PID 2776 wrote to memory of 2504	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	29
PID 2776 wrote to memory of 2504	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	29
PID 2504 wrote to memory of 2532	2504	iqdvwadz.exe	30
PID 2504 wrote to memory of 2532	2504	iqdvwadz.exe	30
PID 2504 wrote to memory of 2532	2504	iqdvwadz.exe	30
PID 2504 wrote to memory of 2532	2504	iqdvwadz.exe	30
PID 2504 wrote to memory of 2532	2504	iqdvwadz.exe	30
PID 2776 wrote to memory of 2608	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	32
PID 2776 wrote to memory of 2608	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	32
PID 2776 wrote to memory of 2608	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	32
PID 2776 wrote to memory of 2608	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	32
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2776 wrote to memory of 2548	2776	cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe	33
PID 2548 wrote to memory of 2692	2548	rundll32.exe	36
PID 2548 wrote to memory of 2692	2548	rundll32.exe	36
PID 2548 wrote to memory of 2692	2548	rundll32.exe	36
PID 2548 wrote to memory of 2692	2548	rundll32.exe	36
PID 2548 wrote to memory of 2692	2548	rundll32.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1268
- C:\Users\Admin\AppData\Local\Temp\cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\cf8bdc7c63175c9125d2daf9bf291f3f87661a0147828f209984b5a2f5b29e2c_JC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe
    "C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe
      "C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Windows\SysWOW64\autoconv.exe
    "C:\Windows\SysWOW64\autoconv.exe"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\SysWOW64\wscript.exe"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe

Filesize
214KB

MD5
c434f1d79eb7864e630426d5b935781f

SHA1
c477fd0761166c4fd48706475d2816352309258b

SHA256
d27c2b1077f5dd4f02747259aa73a1420cd4ec6c72027aeec4babe601713f4fc

SHA512
fcd97552ec0ea97559e80da5cbdb5c1c3a0545174382e51134d6b271c4ba014ad373dd1b7361e758eda4273a320e137507d63da5d2edfe98656fd522144db53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe

Filesize
214KB

MD5
c434f1d79eb7864e630426d5b935781f

SHA1
c477fd0761166c4fd48706475d2816352309258b

SHA256
d27c2b1077f5dd4f02747259aa73a1420cd4ec6c72027aeec4babe601713f4fc

SHA512
fcd97552ec0ea97559e80da5cbdb5c1c3a0545174382e51134d6b271c4ba014ad373dd1b7361e758eda4273a320e137507d63da5d2edfe98656fd522144db53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqdvwadz.exe

Filesize
214KB

MD5
c434f1d79eb7864e630426d5b935781f

SHA1
c477fd0761166c4fd48706475d2816352309258b

SHA256
d27c2b1077f5dd4f02747259aa73a1420cd4ec6c72027aeec4babe601713f4fc

SHA512
fcd97552ec0ea97559e80da5cbdb5c1c3a0545174382e51134d6b271c4ba014ad373dd1b7361e758eda4273a320e137507d63da5d2edfe98656fd522144db53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lchmyiqywh.by

Filesize
231KB

MD5
2ef67d0c8f98757ae8ed67f8331d9cea

SHA1
d1c333919b1ca7df76b48f39afc20f8fe05de334

SHA256
da037cc26c208a20c04b5d678ed6766f0faf7769ad049be487a72fa91606ba23

SHA512
b0b556aada0853dc6597d0412c1af0774934d43cfb813f4450a4d4aa323e89d884d4e82dca6f99fb7e127bdb76f57369ad75984ed1cfadb896a0629ab10c58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrytk.zip

Filesize
444KB

MD5
d71848944418c67f6eb230682f9a969a

SHA1
11d37a0eccbaf9995c6b236ff1a99d174a2566bd

SHA256
efff0464180fcb34ec33e7835086ea58adc84bc3f0b08a7323ef1d58b258e59e

SHA512
7baef376fb5f87e43124f79f81fe45567b7926be277a05abbbfe74bdbbe8dc49c238999e432fb4c457dff23ca78915d2a899bdde9a2ee79b77c655c17ebe706d

Download Submit
\Users\Admin\AppData\Local\Temp\iqdvwadz.exe

Filesize
214KB

MD5
c434f1d79eb7864e630426d5b935781f

SHA1
c477fd0761166c4fd48706475d2816352309258b

SHA256
d27c2b1077f5dd4f02747259aa73a1420cd4ec6c72027aeec4babe601713f4fc

SHA512
fcd97552ec0ea97559e80da5cbdb5c1c3a0545174382e51134d6b271c4ba014ad373dd1b7361e758eda4273a320e137507d63da5d2edfe98656fd522144db53e

Download Submit
\Users\Admin\AppData\Local\Temp\iqdvwadz.exe

Filesize
214KB

MD5
c434f1d79eb7864e630426d5b935781f

SHA1
c477fd0761166c4fd48706475d2816352309258b

SHA256
d27c2b1077f5dd4f02747259aa73a1420cd4ec6c72027aeec4babe601713f4fc

SHA512
fcd97552ec0ea97559e80da5cbdb5c1c3a0545174382e51134d6b271c4ba014ad373dd1b7361e758eda4273a320e137507d63da5d2edfe98656fd522144db53e

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
849KB

MD5
87f9e5a6318ac1ec5ee05aa94a919d7a

SHA1
7a9956e8de89603dba99772da29493d3fd0fe37d

SHA256
7705b87603e0d772e1753441001fcf1ac2643ee41bf14a8177de2c056628665c

SHA512
c45c03176142918e34f746711e83384572bd6a8ed0a005600aa4a18cf22eade06c76eda190b37db49ec1971c4649e086affd19eee108c5f405df27c0c8cb23d2

Download Submit
memory/1268-32-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/1268-29-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/1268-31-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/1268-30-0x0000000002A80000-0x0000000002B1E000-memory.dmp

Filesize
632KB

Download
memory/2504-6-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2532-13-0x0000000000B10000-0x0000000000E13000-memory.dmp

Filesize
3.0MB

Download
memory/2532-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2532-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-20-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/2548-21-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/2548-74-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/2548-71-0x0000000061E00000-0x0000000061EC1000-memory.dmp

Filesize
772KB

Download
memory/2548-27-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/2548-28-0x0000000000860000-0x00000000008F1000-memory.dmp

Filesize
580KB

Download
memory/2548-23-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/2548-24-0x0000000000090000-0x00000000000C2000-memory.dmp

Filesize
200KB

Download
memory/2776-19-0x0000000003C80000-0x0000000004160000-memory.dmp

Filesize
4.9MB

Download
memory/2776-18-0x0000000003C80000-0x0000000004160000-memory.dmp

Filesize
4.9MB

Download
memory/2776-17-0x0000000002D80000-0x0000000003C79000-memory.dmp

Filesize
15.0MB

Download
memory/2776-15-0x0000000002D80000-0x0000000003C79000-memory.dmp

Filesize
15.0MB

Download
memory/2776-26-0x0000000003C80000-0x0000000004160000-memory.dmp

Filesize
4.9MB

Download
memory/2776-25-0x0000000002D80000-0x0000000003C79000-memory.dmp

Filesize
15.0MB

Download

Analysis

Sharing