Analysis
-
max time kernel
126s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2023, 14:34
Behavioral task
behavioral1
Sample
QIw3x0N2J.exe
Resource
win7-20231025-en
9 signatures
150 seconds
General
-
Target
QIw3x0N2J.exe
-
Size
13.4MB
-
MD5
bfafcc2d51b99d4ff8d5654fb18cb70a
-
SHA1
7ae3045b1c3a8ad39d9810e462085a349b7dd40b
-
SHA256
9dc1a5b9da087f724dc7d97e24a48fee56470a8064c29073dc6ea8a70196ff83
-
SHA512
41afc87a817fd2679ad19e8233d07025515ff6e23efd6891e5f2d51a4df0f182b7781863250d3a0cca3ecf4e905a2e89573eb583665b769abfac426de9f43655
-
SSDEEP
393216:fOdeNEsj+pNo9K5YXbjGKl+vZqqbfBYOt+KGxO:GdeNXwYLX+MAqqb5YOQKqO
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ QIw3x0N2J.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion QIw3x0N2J.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion QIw3x0N2J.exe -
resource yara_rule behavioral2/memory/584-0-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-2-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-3-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-5-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-6-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-7-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-8-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-9-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-10-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida behavioral2/memory/584-11-0x00007FF64BFB0000-0x00007FF64DDB4000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA QIw3x0N2J.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 584 QIw3x0N2J.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2624 reg.exe 5004 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe 584 QIw3x0N2J.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 584 wrote to memory of 3916 584 QIw3x0N2J.exe 94 PID 584 wrote to memory of 3916 584 QIw3x0N2J.exe 94 PID 3916 wrote to memory of 5004 3916 cmd.exe 95 PID 3916 wrote to memory of 5004 3916 cmd.exe 95 PID 584 wrote to memory of 4716 584 QIw3x0N2J.exe 99 PID 584 wrote to memory of 4716 584 QIw3x0N2J.exe 99 PID 4716 wrote to memory of 2624 4716 cmd.exe 100 PID 4716 wrote to memory of 2624 4716 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\QIw3x0N2J.exe"C:\Users\Admin\AppData\Local\Temp\QIw3x0N2J.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:2624
-
-