0323425a578f2c2440987eb0cbd9af1f50ad2f5b2667b56950fad52535aac911

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
Size

146KB
MD5

1b90dfb0e5ceecf88f138ef8e35b7d3e
SHA1

b10a1d0f5734fddeac4a554ba90e266a18860bd4
SHA256

0323425a578f2c2440987eb0cbd9af1f50ad2f5b2667b56950fad52535aac911
SHA512

a6532860941589b4356db5fce035c869e0c512a8175a525083ecfecd5ff86d51b3cb07b6d824a60e79bc85355f2699708599b1026da73467b2772a0cef3f206a
SSDEEP

3072:3AFMfmv+OIfi8ANqtSdzwLhWpRPpwfM8m3+SZcsySm2+zEgU3dhWywAX:3AFMfmv+OqodPeU8W+itySmHKV

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3000	qeyr.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00090000000141c0-6.dat	upx
behavioral1/memory/2784-12-0x0000000001E40000-0x0000000001E98000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\{34FDD602-B489-C607-A048-6F5816A32267} = "C:\\Users\\Admin\\AppData\\Roaming\\Izgo\\qeyr.exe"	qeyr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2784 set thread context of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Privacy	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe
3000	qeyr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
Token: SeSecurityPrivilege	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
Token: SeSecurityPrivilege	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3000	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	28
PID 2784 wrote to memory of 3000	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	28
PID 2784 wrote to memory of 3000	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	28
PID 2784 wrote to memory of 3000	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	28
PID 3000 wrote to memory of 1236	3000	qeyr.exe	9
PID 3000 wrote to memory of 1236	3000	qeyr.exe	9
PID 3000 wrote to memory of 1236	3000	qeyr.exe	9
PID 3000 wrote to memory of 1236	3000	qeyr.exe	9
PID 3000 wrote to memory of 1236	3000	qeyr.exe	9
PID 3000 wrote to memory of 1328	3000	qeyr.exe	8
PID 3000 wrote to memory of 1328	3000	qeyr.exe	8
PID 3000 wrote to memory of 1328	3000	qeyr.exe	8
PID 3000 wrote to memory of 1328	3000	qeyr.exe	8
PID 3000 wrote to memory of 1328	3000	qeyr.exe	8
PID 3000 wrote to memory of 1368	3000	qeyr.exe	7
PID 3000 wrote to memory of 1368	3000	qeyr.exe	7
PID 3000 wrote to memory of 1368	3000	qeyr.exe	7
PID 3000 wrote to memory of 1368	3000	qeyr.exe	7
PID 3000 wrote to memory of 1368	3000	qeyr.exe	7
PID 3000 wrote to memory of 1104	3000	qeyr.exe	5
PID 3000 wrote to memory of 1104	3000	qeyr.exe	5
PID 3000 wrote to memory of 1104	3000	qeyr.exe	5
PID 3000 wrote to memory of 1104	3000	qeyr.exe	5
PID 3000 wrote to memory of 1104	3000	qeyr.exe	5
PID 3000 wrote to memory of 2784	3000	qeyr.exe	1
PID 3000 wrote to memory of 2784	3000	qeyr.exe	1
PID 3000 wrote to memory of 2784	3000	qeyr.exe	1
PID 3000 wrote to memory of 2784	3000	qeyr.exe	1
PID 3000 wrote to memory of 2784	3000	qeyr.exe	1
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 2784 wrote to memory of 852	2784	1b90dfb0e5ceecf88f138ef8e35b7d3e.exe	30
PID 3000 wrote to memory of 2340	3000	qeyr.exe	31
PID 3000 wrote to memory of 2340	3000	qeyr.exe	31
PID 3000 wrote to memory of 2340	3000	qeyr.exe	31
PID 3000 wrote to memory of 2340	3000	qeyr.exe	31
PID 3000 wrote to memory of 2340	3000	qeyr.exe	31
PID 3000 wrote to memory of 972	3000	qeyr.exe	32
PID 3000 wrote to memory of 972	3000	qeyr.exe	32
PID 3000 wrote to memory of 972	3000	qeyr.exe	32
PID 3000 wrote to memory of 972	3000	qeyr.exe	32
PID 3000 wrote to memory of 972	3000	qeyr.exe	32

C:\Users\Admin\AppData\Local\Temp\1b90dfb0e5ceecf88f138ef8e35b7d3e.exe
"C:\Users\Admin\AppData\Local\Temp\1b90dfb0e5ceecf88f138ef8e35b7d3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Izgo\qeyr.exe
  "C:\Users\Admin\AppData\Roaming\Izgo\qeyr.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpffc1753f.bat"
  2⤵
  - Deletes itself
  PID:852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2340

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Izgo\qeyr.exe

Filesize
146KB

MD5
9603fd881d797e03f1028505dee555f6

SHA1
6c81301c1f4ea1f086c9ec825d48a7dba5d0d275

SHA256
ac81fd46186042403b0702e93362af5ae3f126b0f74d778fe90dc277547ee526

SHA512
a27bb2c0203afe7150d1cf5a6a5bf0e942a7b12bfdf78d0f32691839c7bebeaaa9174fd1d428711b87f4be9638fc4629aae87ad053f311a5ec8d77220e52e39d

Download Submit
memory/852-163-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/852-244-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/852-245-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/852-151-0x0000000000090000-0x00000000000B5000-memory.dmp

Filesize
148KB

Download
memory/1104-37-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/1104-36-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/1104-35-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/1104-34-0x0000000000370000-0x0000000000395000-memory.dmp

Filesize
148KB

Download
memory/1236-17-0x0000000001F20000-0x0000000001F45000-memory.dmp

Filesize
148KB

Download
memory/1236-19-0x0000000001F20000-0x0000000001F45000-memory.dmp

Filesize
148KB

Download
memory/1236-16-0x0000000001F20000-0x0000000001F45000-memory.dmp

Filesize
148KB

Download
memory/1236-22-0x0000000001F20000-0x0000000001F45000-memory.dmp

Filesize
148KB

Download
memory/1236-21-0x0000000001F20000-0x0000000001F45000-memory.dmp

Filesize
148KB

Download
memory/1328-27-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1328-26-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1328-25-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1328-24-0x0000000001DA0000-0x0000000001DC5000-memory.dmp

Filesize
148KB

Download
memory/1368-29-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download
memory/1368-30-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download
memory/1368-31-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download
memory/1368-32-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download
memory/2784-67-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-44-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-79-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-77-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-75-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-73-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-71-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-69-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-65-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-63-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-59-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-57-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-55-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-53-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-51-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-49-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2784-48-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-81-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-42-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-41-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-40-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-39-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-83-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-149-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-150-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-137-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2784-47-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

Filesize
4KB

Download
memory/2784-45-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-43-0x0000000001CD0000-0x0000000001CF5000-memory.dmp

Filesize
148KB

Download
memory/2784-14-0x0000000001E40000-0x0000000001E98000-memory.dmp

Filesize
352KB

Download
memory/2784-3-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-2-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2784-12-0x0000000001E40000-0x0000000001E98000-memory.dmp

Filesize
352KB

Download
memory/2784-1-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/3000-18-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3000-20-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/3000-246-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download