Analysis

  • max time kernel
    150s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 08:49

General

  • Target

    7ebdf9d35465794a46cfdb8d91aabb4b.exe

  • Size

    5.6MB

  • MD5

    7ebdf9d35465794a46cfdb8d91aabb4b

  • SHA1

    531599d3e261dbbeb56993a94478bbdac2f1ac01

  • SHA256

    bdcee4d2c5ac46330804613de038e856c43c4c75dad9faf0e198601490bd8897

  • SHA512

    8fca267de766e3661677fb1c2968b0951ca2e77d144d56e5db5a590795bce7378f1ad42e1fcf2b61586de85ac07e565cf6374160215edb229480f95fe5a5fc29

  • SSDEEP

    98304:tqLKm+uTLWHXyQgKZdxc1GUuK7Je00yUfojJ+cTxpQo79NfKjuhWmBtpZxqmci6U:tqmuHWHXJXgu4JOwjRx68ajuhZBcniTn

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ebdf9d35465794a46cfdb8d91aabb4b.exe
    "C:\Users\Admin\AppData\Local\Temp\7ebdf9d35465794a46cfdb8d91aabb4b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/crJTB3UAPz
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3056 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2412
    • C:\Windows\SoftwareDistribution\Download\rqopM.exe
      "C:\Windows\SoftwareDistribution\Download\rqopM.exe" -map C:\Windows\SoftwareDistribution\Download\rqopM.sys
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2128

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

          Filesize

          1KB

          MD5

          13fe4f617cd4b038e4093de17ef5741c

          SHA1

          e79e963ff911d121b3223e12e9ddfacafe060d3f

          SHA256

          c1d48657089d5823e42433d43cd67e16d5f62ca87e594b25adefcf27ebbeb13a

          SHA512

          de5baad1e2bd1f5ea63619dab6812eb5d9f2d9b9c0b45af23b0889b6b0c6ff74fe4939b5f467a82a52187ae9890a0fdbb69dad2be2713b7cf58f11774e95bf21

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

          Filesize

          408B

          MD5

          f5d1c6eea7b59457f1b1c7ce13ebc616

          SHA1

          a9ac435978562f24b80de8fcb33faa2e9d4c34d9

          SHA256

          5a994b0395723cb03b2d626903a909795fe95c3dfe27c770cc87fa7814c1d149

          SHA512

          ecfdf9705f10bda83b08e54ae56c887ed1e586cc1aba1778a60f540256842fe5ba9d6add914814de8098802985baaa872b9870cf0ef069f7ce5444706091d999

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          2916ba15f57029cba3ccdfcdf53afd58

          SHA1

          a0b8fc3f3b759ef841dec7f837f26316fd24b294

          SHA256

          78d8307d48e2cab6cc9a9df989b5040bc83431aa0ac249e3a640e7318c6b3b8f

          SHA512

          0528d46016f36d157a0e9d95ac0e5a49359b32ee9fb08eae27629c40f65d6c904869a4847faaddf3e1992c3dfe3d1a48974f02ad5e38ab8d67cfeeeb2c78b697

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f56fe828b562805976e8ce6d2ca5555f

          SHA1

          510630cb8d3d20f43252580d35195fcd0d595c92

          SHA256

          ebb4608245a9ddb8391152e609b55616eafec6d92a4c2de412468f82e9d499e2

          SHA512

          f2a65700e3e9d6a883e33a50ceb3c5372bbd55f6abd2d102783d58aaf1ce680d2df3ad86af7522c7a7c2bfba90cba146648951a723ba3b3e8bc8f89da03007ba

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          95873191b4abbc049019508e2b2a5ec8

          SHA1

          19e3f1751eae2a62166fd6b460383423c911d071

          SHA256

          7a70733c794ea6514ae3c031eab91c7c6975c2032ff28b229d6d19056ef17446

          SHA512

          14fa531e12c0b7eb9e6f0af3f31d45cdee052fc0094c4a4bf8964b4edbb3cdf2692dda449272411155bfce4208e62b69d264340c77dbc1bee45762fd2365ba38

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          67b822b9cb74776c0159106c36324804

          SHA1

          497d75bb540b6dfcacb968cfe34bdc8f54ec3cc9

          SHA256

          f3b53ae46a946ae45f07bfd754152aefb42aae0cf0d4a52e25204ac74d7c9a0f

          SHA512

          09f53db9b26ec2b9f85f6b128dcad4fa9c9010d8bfc833d84abc133e343887427836ccd0aee970b1c7c5490feb68be0c7ff293648292358fc7076d00c1dc280d

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          39f4202598616052b5a2679103caa03d

          SHA1

          cf251a77a08729969a0b29b2cc066d1666dc1ea9

          SHA256

          92e161c3eefa7439e23bb094a985634520a608c5fc46be1f5fe94a67d8d55110

          SHA512

          4ae2f9d97368c040f375335cf35b0d041a7204be1b209debbaac7a26b246ab70109b1f82eece7b4103c20f858b6e76ca7bdc318238ecb1b1579b6f61347d2bdc

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          cd4c45f378f9c88821ecf4205f2751de

          SHA1

          9a11c1b363b186eb012d6b02bb261d157b5d1353

          SHA256

          716851bf3ccff129ddc54e1ea36913f0fc2ecb1a0f70ee1e178cdd264d315f97

          SHA512

          ddfb846eadba784c40266380d4f203e0339f3e68f61dbbde68c988c168cdb75eae602ffbb14c71eb88141a559ef490ca84e5beb6031c62f6113857f1df33fcdd

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          9979653b9da522d06d8c6a9f30518f81

          SHA1

          a97f66a5ca27fb7ddade1a2396e11c87fa8c9355

          SHA256

          a63206a9b17a3973e6a4bb68d4aaac46e51395e056f65067cea0528f0db53a68

          SHA512

          c5d9fa1829009b4f9d5fb9687b897554f25bfde7f29b966a3db7b74d0fe4cf94d37269caa02c4cb5fe24a82d2cf0265b8ed25861022040e1c5cc7147c39f1691

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f9yyw0t\imagestore.dat

          Filesize

          24KB

          MD5

          d3d4fecbfa55b621968ea7b80dd11ae1

          SHA1

          dcca19a0d52a5d4b91727ada2e1823e1c20b4071

          SHA256

          cd50f362f6cd743f22a92879e721b4a7b48af4d8b66d154112218fc82245aa61

          SHA512

          34a7c680c0620502fd556e8972dfb844303f76c5c8131c48a3c4c0347b9ba4f22f621c7ee0a2583efb782da289873c243fbd4f2d7d6c70c013be1ffb786a1327

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A89I98IL\favicon[2].ico

          Filesize

          23KB

          MD5

          ec2c34cadd4b5f4594415127380a85e6

          SHA1

          e7e129270da0153510ef04a148d08702b980b679

          SHA256

          128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

          SHA512

          c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

        • C:\Users\Admin\AppData\Local\Temp\Cab6900.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar6951.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • C:\Windows\SoftwareDistribution\Download\rqopM.exe

          Filesize

          59KB

          MD5

          fe9272012674bd77d5286528902eb502

          SHA1

          3a1706e1d31e13d1d551495d1ead226995115174

          SHA256

          b0db043303693623475f2f55620aa79e53aaf54b1814254e07ba9f867b8e2ba4

          SHA512

          83d91f5ab2e8e7f1c0a9cfd9fbc08923886297514c1e858c115771e4c2bede43dfacb5664a202aa1a94b0bf7c4ca19a1689f33454de28abecfbc65985c874342

        • \Windows\SoftwareDistribution\Download\rqopM.exe

          Filesize

          260KB

          MD5

          083c6c05ac5875d0b6e997e894ca07bc

          SHA1

          69d0116998e8a70db5852fccb86d45975ce88a9a

          SHA256

          03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

          SHA512

          fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

        • memory/1948-1-0x000000013F6C0000-0x000000014005B000-memory.dmp

          Filesize

          9.6MB

        • memory/1948-9-0x0000000077A40000-0x0000000077A42000-memory.dmp

          Filesize

          8KB

        • memory/1948-11-0x0000000077A40000-0x0000000077A42000-memory.dmp

          Filesize

          8KB

        • memory/1948-12-0x000000013F6C0000-0x000000014005B000-memory.dmp

          Filesize

          9.6MB

        • memory/1948-437-0x0000000077880000-0x0000000077A29000-memory.dmp

          Filesize

          1.7MB

        • memory/1948-436-0x000000013F6C0000-0x000000014005B000-memory.dmp

          Filesize

          9.6MB

        • memory/1948-8-0x0000000077880000-0x0000000077A29000-memory.dmp

          Filesize

          1.7MB

        • memory/1948-3-0x0000000077A30000-0x0000000077A32000-memory.dmp

          Filesize

          8KB

        • memory/1948-6-0x0000000077A40000-0x0000000077A42000-memory.dmp

          Filesize

          8KB

        • memory/1948-5-0x0000000077A30000-0x0000000077A32000-memory.dmp

          Filesize

          8KB

        • memory/1948-0-0x0000000077A30000-0x0000000077A32000-memory.dmp

          Filesize

          8KB