cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
Size

1.3MB
MD5

e469b42e94978c9e2c4141c7c54fa2f0
SHA1

51c3ff2fb5c08fd6d372f83ea686dfba7af6b988
SHA256

cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407
SHA512

8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1
SSDEEP

24576:m4lavt0LkLL9IMixoEgea4R3c7tiNAg6x66HW3E9KLAwq+XPqc+Rq9MmCS:xkwkn9IMHea4y7ty6owW3E0LcBhaPCS

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VOVRLQ.lnk	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

Executes dropped EXE 3 IoCs

pid	Process
2524	KAQPRH.exe
2420	KAQPRH.exe
2168	KAQPRH.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\VOVRLQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\KAQPRH.exe\""	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00080000000120bd-2.dat	autoit_exe
behavioral1/files/0x00080000000120bd-7.dat	autoit_exe
behavioral1/files/0x00080000000120bd-8.dat	autoit_exe
behavioral1/files/0x00080000000120bd-10.dat	autoit_exe
behavioral1/files/0x00080000000120bd-11.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2840	schtasks.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\root\SecurityCenter2	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2964	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	28
PID 2116 wrote to memory of 2964	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	28
PID 2116 wrote to memory of 2964	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	28
PID 2116 wrote to memory of 2964	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	28
PID 2116 wrote to memory of 3012	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	30
PID 2116 wrote to memory of 3012	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	30
PID 2116 wrote to memory of 3012	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	30
PID 2116 wrote to memory of 3012	2116	cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe	30
PID 2964 wrote to memory of 2840	2964	cmd.exe	31
PID 2964 wrote to memory of 2840	2964	cmd.exe	31
PID 2964 wrote to memory of 2840	2964	cmd.exe	31
PID 2964 wrote to memory of 2840	2964	cmd.exe	31
PID 2812 wrote to memory of 2524	2812	taskeng.exe	34
PID 2812 wrote to memory of 2524	2812	taskeng.exe	34
PID 2812 wrote to memory of 2524	2812	taskeng.exe	34
PID 2812 wrote to memory of 2524	2812	taskeng.exe	34
PID 2812 wrote to memory of 2420	2812	taskeng.exe	37
PID 2812 wrote to memory of 2420	2812	taskeng.exe	37
PID 2812 wrote to memory of 2420	2812	taskeng.exe	37
PID 2812 wrote to memory of 2420	2812	taskeng.exe	37
PID 2812 wrote to memory of 2168	2812	taskeng.exe	38
PID 2812 wrote to memory of 2168	2812	taskeng.exe	38
PID 2812 wrote to memory of 2168	2812	taskeng.exe	38
PID 2812 wrote to memory of 2168	2812	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe
"C:\Users\Admin\AppData\Local\Temp\cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn VOVRLQ.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn VOVRLQ.exe /tr C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:2840
- C:\Windows\SysWOW64\WSCript.exe
  WSCript C:\Users\Admin\AppData\Local\Temp\VOVRLQ.vbs
  2⤵
  PID:3012

C:\Windows\system32\taskeng.exe
taskeng.exe {3EBC4E15-33AA-4E7F-AFA0-47FD9FFAFD83} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe
  2⤵
  - Executes dropped EXE
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VOVRLQ.vbs

Filesize
948B

MD5
aee9b8d057c816a9b41b1033aeee1ecf

SHA1
154b983431f444bcf53a45afab16bfe8e37c45ed

SHA256
7ec5a5ae49a215da3f29bf7ad1906e0f5605a13f35d0cec69ac12fd5f139b28b

SHA512
8f6262cddced21322a72a17f50dded8ac16d825a11704bd31d868e7e91b83b56c9700814213c1ceb24cff31b031cde05b7b46504a031b2e1354c7fc8593e9f28

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe

Filesize
1.3MB

MD5
e469b42e94978c9e2c4141c7c54fa2f0

SHA1
51c3ff2fb5c08fd6d372f83ea686dfba7af6b988

SHA256
cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

SHA512
8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe

Filesize
1.3MB

MD5
e469b42e94978c9e2c4141c7c54fa2f0

SHA1
51c3ff2fb5c08fd6d372f83ea686dfba7af6b988

SHA256
cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

SHA512
8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe

Filesize
1.3MB

MD5
e469b42e94978c9e2c4141c7c54fa2f0

SHA1
51c3ff2fb5c08fd6d372f83ea686dfba7af6b988

SHA256
cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

SHA512
8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe

Filesize
1.3MB

MD5
e469b42e94978c9e2c4141c7c54fa2f0

SHA1
51c3ff2fb5c08fd6d372f83ea686dfba7af6b988

SHA256
cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

SHA512
8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1

Download Submit
\Users\Admin\AppData\Roaming\Windata\KAQPRH.exe

Filesize
1.3MB

MD5
e469b42e94978c9e2c4141c7c54fa2f0

SHA1
51c3ff2fb5c08fd6d372f83ea686dfba7af6b988

SHA256
cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407

SHA512
8f2f3cc359a88dbaf511c2d98b72c3b0b4036ecc9b350c483f89f0ca7392ab0cbaa7e32819e7f15949923be5c1c91550bc68d8323e375b4def295492713d8df1

Download Submit