d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 19:11

Target

015779151e28e9dea2a2fc3ab3cb78f5.exe
Size

352KB
MD5

015779151e28e9dea2a2fc3ab3cb78f5
SHA1

22aecac99c2a2ae242133aa2b050435a1cef48c9
SHA256

d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362
SHA512

74774287df889edc1a429b34cef235fc3e882f9dfe919f08ef3e7036e2d60ad1caa71ee1a48614b21b4fe24c09bb9edc46d6dd96bed624dbff2a908ecd31efec
SSDEEP

6144:3C4ao4WpTBZvu5/9+iBEj9IJnoc8vCBcAsEo1O19hoDbLSwZMFUrQo:3/ao4WpT/vuOj98noZK2n1QoLSwuFUrB

Score

7^/10

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1328	Qzone.exe
2860	Qzone.exe

Loads dropped DLL 2 IoCs

pid	Process
1232	015779151e28e9dea2a2fc3ab3cb78f5.exe
1232	015779151e28e9dea2a2fc3ab3cb78f5.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qzone.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File created	C:\Windows\SysWOW64\tmp.bat	015779151e28e9dea2a2fc3ab3cb78f5.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File created	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	Qzone.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	Qzone.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1328	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	28
PID 1232 wrote to memory of 1328	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	28
PID 1232 wrote to memory of 1328	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	28
PID 1232 wrote to memory of 1328	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	28
PID 1232 wrote to memory of 2884	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	29
PID 1232 wrote to memory of 2884	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	29
PID 1232 wrote to memory of 2884	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	29
PID 1232 wrote to memory of 2884	1232	015779151e28e9dea2a2fc3ab3cb78f5.exe	29
PID 2860 wrote to memory of 2556	2860	Qzone.exe	32
PID 2860 wrote to memory of 2556	2860	Qzone.exe	32
PID 2860 wrote to memory of 2556	2860	Qzone.exe	32
PID 2860 wrote to memory of 2556	2860	Qzone.exe	32
PID 2860 wrote to memory of 2556	2860	Qzone.exe	32

C:\Users\Admin\AppData\Local\Temp\015779151e28e9dea2a2fc3ab3cb78f5.exe
"C:\Users\Admin\AppData\Local\Temp\015779151e28e9dea2a2fc3ab3cb78f5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\Qzone.exe
  C:\Windows\system32\Qzone.exe 1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\tmp.bat
  2⤵
  - Deletes itself
  PID:2884

C:\Windows\SysWOW64\Qzone.exe
C:\Windows\SysWOW64\Qzone.exe -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2556

C:\Windows\SysWOW64\Qzone.dat

Filesize
229KB

MD5
f7b494d7958c50cabc53460143bbca77

SHA1
94abe95d4a1f2b3eec34f02ece06da055b8359c0

SHA256
ff52ea28b40a5110be2911a23cfa50f0860e20d57eae20faca06e4e833348672

SHA512
db468b3b48e8d791a68203832258c5dc1a95b89e73205f7a7f87b0232f680a0658010a3c4c590e487d0125ca222c7c4426bd3503a0bc31aff3a6a1c260cd787f

Download Submit
C:\Windows\SysWOW64\Qzone.dat

Filesize
220KB

MD5
171d0e47527c6552c99fdeed59d772d1

SHA1
8a657fbcdc4c3046aad62154128873a35a0e03d5

SHA256
761144192514c4d7c72f31e45e7e003e7c35fd2d6772a85c7a40dc7460e9c6a3

SHA512
39791bec6bcaf0c6ae2c3241d14221dfddc52b08eefe0f8f4169b99996952f5d2a0ddd3e2bdfbcca9b62c7a139d275dad85bb2dbacff8badc6f142d78e1c2a59

Download Submit
C:\Windows\SysWOW64\tmp.bat

Filesize
239B

MD5
2855da4638d4203b97bf642d19b77d4e

SHA1
ca1a7d8130823f7c775e8ac2f1de288c1072e774

SHA256
4b4616e1b5890335a10b02f94eb65d8c77d26e8d9b36b74fa1df85aae69cb51c

SHA512
0f98b2722e4481f186b91203b86b241e266656d9da6d92a7f5516510454ecb0986183eb0d2ea45f6e4196b6ffd886d4ad44ab19ee7e8167228ae5e69aaafa3ca

Download Submit
\Windows\SysWOW64\Qzone.exe

Filesize
352KB

MD5
015779151e28e9dea2a2fc3ab3cb78f5

SHA1
22aecac99c2a2ae242133aa2b050435a1cef48c9

SHA256
d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362

SHA512
74774287df889edc1a429b34cef235fc3e882f9dfe919f08ef3e7036e2d60ad1caa71ee1a48614b21b4fe24c09bb9edc46d6dd96bed624dbff2a908ecd31efec

Download Submit