e4378b8455bdfcf79631d89c669d362e230ae1fc93bfbfad4d1b9ad8a7370328

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16bdf69811be00ff9271d9c6122c30b5.exe
Size

13KB
MD5

16bdf69811be00ff9271d9c6122c30b5
SHA1

ea523f1b49a62e728b2e3770ce6511f4e63afa59
SHA256

e4378b8455bdfcf79631d89c669d362e230ae1fc93bfbfad4d1b9ad8a7370328
SHA512

a0bb5ca1f3b79ba935abadceb8024041361dfd0570a63f102517ceef87aca5e631a299868bd06c579bdab3d110db7d637ffb9fb971f9807a5b86e5a2df429f70
SSDEEP

384:p2wt+8CvCI7DDKZV1EDPNFXccizDnYBqi:MTtqI7/2sNacinn

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2348	qensngk.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4240-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x0007000000023222-4.dat	upx
behavioral2/memory/2348-6-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4240-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qensng.dll	16bdf69811be00ff9271d9c6122c30b5.exe
File created	C:\Windows\SysWOW64\qensngk.exe	16bdf69811be00ff9271d9c6122c30b5.exe
File opened for modification	C:\Windows\SysWOW64\qensngk.exe	16bdf69811be00ff9271d9c6122c30b5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2348	4240	16bdf69811be00ff9271d9c6122c30b5.exe	88
PID 4240 wrote to memory of 2348	4240	16bdf69811be00ff9271d9c6122c30b5.exe	88
PID 4240 wrote to memory of 2348	4240	16bdf69811be00ff9271d9c6122c30b5.exe	88
PID 4240 wrote to memory of 4352	4240	16bdf69811be00ff9271d9c6122c30b5.exe	92
PID 4240 wrote to memory of 4352	4240	16bdf69811be00ff9271d9c6122c30b5.exe	92
PID 4240 wrote to memory of 4352	4240	16bdf69811be00ff9271d9c6122c30b5.exe	92

C:\Users\Admin\AppData\Local\Temp\16bdf69811be00ff9271d9c6122c30b5.exe
"C:\Users\Admin\AppData\Local\Temp\16bdf69811be00ff9271d9c6122c30b5.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\qensngk.exe
  C:\Windows\system32\qensngk.exe t!
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\16bdf69811be00ff9271d9c6122c30b5.exe.bat
  2⤵
  PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\16bdf69811be00ff9271d9c6122c30b5.exe.bat

Filesize
182B

MD5
b3f6b2dc9199e7134ecbf6086b72f315

SHA1
acda64eaed5c4236ee467d827712018f32096d47

SHA256
ca8eff667ff0ce4be0ad002c48a122da38cadb3a8a8d6eb57b609b7a7438bb16

SHA512
b5fdffc684fb7e4a159f0af3a763a00e3ca29cf3a1dc0f0f4d9bea3bc9fc91952fac7e183c68c3f74c628f9804855c384b0e3dffc7e4a6efa944da9fab4603f1

Download Submit
C:\Windows\SysWOW64\qensngk.exe

Filesize
13KB

MD5
16bdf69811be00ff9271d9c6122c30b5

SHA1
ea523f1b49a62e728b2e3770ce6511f4e63afa59

SHA256
e4378b8455bdfcf79631d89c669d362e230ae1fc93bfbfad4d1b9ad8a7370328

SHA512
a0bb5ca1f3b79ba935abadceb8024041361dfd0570a63f102517ceef87aca5e631a299868bd06c579bdab3d110db7d637ffb9fb971f9807a5b86e5a2df429f70

Download Submit
memory/2348-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4240-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4240-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download