d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362

Analysis

max time kernel
151s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 19:11

Target

015779151e28e9dea2a2fc3ab3cb78f5.exe
Size

352KB
MD5

015779151e28e9dea2a2fc3ab3cb78f5
SHA1

22aecac99c2a2ae242133aa2b050435a1cef48c9
SHA256

d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362
SHA512

74774287df889edc1a429b34cef235fc3e882f9dfe919f08ef3e7036e2d60ad1caa71ee1a48614b21b4fe24c09bb9edc46d6dd96bed624dbff2a908ecd31efec
SSDEEP

6144:3C4ao4WpTBZvu5/9+iBEj9IJnoc8vCBcAsEo1O19hoDbLSwZMFUrQo:3/ao4WpT/vuOj98noZK2n1QoLSwuFUrB

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2544	Qzone.exe
2972	Qzone.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp.bat	015779151e28e9dea2a2fc3ab3cb78f5.exe
File created	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	Qzone.exe
File opened for modification	C:\Windows\SysWOW64\xcopy.exe	Qzone.exe
File created	C:\Windows\SysWOW64\Qzone.exe	015779151e28e9dea2a2fc3ab3cb78f5.exe
File opened for modification	C:\Windows\SysWOW64\Qzone.dat	Qzone.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	Qzone.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 2544	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	90
PID 4624 wrote to memory of 2544	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	90
PID 4624 wrote to memory of 2544	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	90
PID 4624 wrote to memory of 2580	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	91
PID 4624 wrote to memory of 2580	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	91
PID 4624 wrote to memory of 2580	4624	015779151e28e9dea2a2fc3ab3cb78f5.exe	91
PID 2972 wrote to memory of 4216	2972	Qzone.exe	94
PID 2972 wrote to memory of 4216	2972	Qzone.exe	94
PID 2972 wrote to memory of 4216	2972	Qzone.exe	94

C:\Users\Admin\AppData\Local\Temp\015779151e28e9dea2a2fc3ab3cb78f5.exe
"C:\Users\Admin\AppData\Local\Temp\015779151e28e9dea2a2fc3ab3cb78f5.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Windows\SysWOW64\Qzone.exe
  C:\Windows\system32\Qzone.exe 1
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\tmp.bat
  2⤵
  PID:2580

C:\Windows\SysWOW64\Qzone.exe
C:\Windows\SysWOW64\Qzone.exe -service
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:4216

C:\Windows\SysWOW64\Qzone.dat

Filesize
229KB

MD5
f7b494d7958c50cabc53460143bbca77

SHA1
94abe95d4a1f2b3eec34f02ece06da055b8359c0

SHA256
ff52ea28b40a5110be2911a23cfa50f0860e20d57eae20faca06e4e833348672

SHA512
db468b3b48e8d791a68203832258c5dc1a95b89e73205f7a7f87b0232f680a0658010a3c4c590e487d0125ca222c7c4426bd3503a0bc31aff3a6a1c260cd787f

Download Submit
C:\Windows\SysWOW64\Qzone.exe

Filesize
352KB

MD5
015779151e28e9dea2a2fc3ab3cb78f5

SHA1
22aecac99c2a2ae242133aa2b050435a1cef48c9

SHA256
d606e741e84fabad497cea492686b20d76a706e537c212a83f2c7bcc00dba362

SHA512
74774287df889edc1a429b34cef235fc3e882f9dfe919f08ef3e7036e2d60ad1caa71ee1a48614b21b4fe24c09bb9edc46d6dd96bed624dbff2a908ecd31efec

Download Submit
C:\Windows\SysWOW64\tmp.bat

Filesize
239B

MD5
2855da4638d4203b97bf642d19b77d4e

SHA1
ca1a7d8130823f7c775e8ac2f1de288c1072e774

SHA256
4b4616e1b5890335a10b02f94eb65d8c77d26e8d9b36b74fa1df85aae69cb51c

SHA512
0f98b2722e4481f186b91203b86b241e266656d9da6d92a7f5516510454ecb0986183eb0d2ea45f6e4196b6ffd886d4ad44ab19ee7e8167228ae5e69aaafa3ca

Download Submit