6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a

Analysis

max time kernel
156s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe
Size

4.4MB
MD5

681da6a04e7ac7d30a0461f0f809f491
SHA1

f045c757662282e40ba55a16b50dae27735c5628
SHA256

6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a
SHA512

d83f05e36d03cda3ffe2c24fa9ce76ed6982061e00bf070f73dc35e906c3c4c0b536f1cc84a892f0c5529f46b5544542a4c3790b3a8d5b5d758298eea05cf131
SSDEEP

49152:M57e2lkllCewwFaGDkw7YtZLAAl/+bmQcmOIhkB8Dt9jfKgDclgx:y7eiKa7D+t9rxoSx

Score

8^/10

upx

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Executes dropped EXE 1 IoCs

pid	Process
2400	QkjZRtFl.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000001226b-5.dat	upx
behavioral1/memory/2400-7-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral1/memory/2400-46-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	QkjZRtFl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	QkjZRtFl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe
1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe
2400	QkjZRtFl.exe
2400	QkjZRtFl.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 1396 wrote to memory of 2400	1396	6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe	28
PID 2400 wrote to memory of 2876	2400	QkjZRtFl.exe	29
PID 2400 wrote to memory of 2876	2400	QkjZRtFl.exe	29
PID 2400 wrote to memory of 2876	2400	QkjZRtFl.exe	29
PID 2400 wrote to memory of 2876	2400	QkjZRtFl.exe	29

C:\Users\Admin\AppData\Local\Temp\6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe
"C:\Users\Admin\AppData\Local\Temp\6dca7c2b1b4c7aeeac1b8323177e36a5d3107840f60224b609cd5b0d2dda2b8a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Public\Downloads\A9rOkAsX\QkjZRtFl.exe
  "C:\Users\Public\Downloads\A9rOkAsX\QkjZRtFl.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo.>c:\xxxx.ini
    3⤵
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG3.JPG

Filesize
6KB

MD5
e39405e85e09f64ccde0f59392317dd3

SHA1
9c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b

SHA256
cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f

SHA512
6733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_tu2_temp_0\IRIMG4.JPG

Filesize
36KB

MD5
f6bf82a293b69aa5b47d4e2de305d45a

SHA1
4948716616d4bbe68be2b4c5bf95350402d3f96f

SHA256
6a9368cdd7b3ff9b590e206c3536569bc45c338966d0059784959f73fe6281e0

SHA512
edf0f3ee60a620cf886184c1014f38d0505aac9e3703d61d7074cfb27d6922f80e570d1a3891593606a09f1296a88c8770445761c11c390a99a5341ee56478aa

Download Submit
C:\Users\Public\Downloads\A9rOkAsX\Edge.jpg

Filesize
358KB

MD5
c500c43ba46f0ada7a7b90f3661934af

SHA1
ebf80091112d2edd34ef8262178d8c4c9f03dea9

SHA256
40e5bffa8e4beefd4eb08af151946e399172dd3a39fdd38bbce76c2df4a84871

SHA512
ac8cd243108de54c7d62c97514a5835eee993e6d79adddb0b83f99aa6906822ec93a351712dc037b9ad73f8a93f3c5b5ea642f030483812069f332b90bbea054

Download Submit
C:\Users\Public\Downloads\A9rOkAsX\QkjZRtFl.dat

Filesize
132KB

MD5
116cc84dce60ec0b3835c2ad1c2424a7

SHA1
c171d7f80c2e6388563f5cdbe8f40e19b8e4a01a

SHA256
d7fb488e57ab01b4b9066fa4aed702c541dc99b98b4804b5811d0cf377090c4e

SHA512
03a29f6ac59cdefdf46247c2fe917d418541b814e5cbe3bdb47434ad88660eedcd3cdaa5f110840f9034d8ecf7b9f552564722445cb5a8fa441c3389a2ddaa93

Download Submit
C:\Users\Public\Downloads\A9rOkAsX\QkjZRtFl.exe

Filesize
525KB

MD5
609c656c5caf4dadf68d74817b292b9f

SHA1
98a80e630e04df9c456c7ebb89529d1155cc7b55

SHA256
e6c44abbc7bb6169d5abfd5290a5f2b3f8d8e7c2ff9ef80356e1d71cc13ccfef

SHA512
e2a933c089c5f92febbff0c36dd1dfc5df65671e58e0c6b78d99aab7ca817895de1573d9aff82ae48ec951dcc0698716b220ac0c90786774f5e7aecafa9eb3a3

Download Submit
C:\Users\Public\Downloads\A9rOkAsX\edge.xml

Filesize
53KB

MD5
c01854d7e6be8474cfccbfb8ecf81d0b

SHA1
d5fb64c8e4e7c6bb1b5322ddd67e43974b20cf06

SHA256
a31251575a2dcb37ab41d4cb0fa5704c60c66b784cacf101ddb07252044b3746

SHA512
fcf768c89c8747e6a6a69f2ff99ae588b3662157f83039ce1209263878b63abf2dcf6f43dad72ec688f25332c87a1b09acb47d6e2ea5c62ce76592b942be2f9f

Download Submit
memory/2400-7-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/2400-29-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2400-32-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/2400-34-0x0000000010000000-0x0000000010061000-memory.dmp

Filesize
388KB

Download
memory/2400-46-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download