0c423cf66f061e55ffd7da969058397142c7f95c0a886b7c483f3d86ebdeb1f9

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QLCai.exe
Size

4.3MB
MD5

2b25f6a9806d2538f2e0207feac8872c
SHA1

d1a04bef387032d0ebd5e35aec7583d748d48568
SHA256

c38e45bcf35206fc74a3d4e6e29377156e5c31af1f3085904c216a32c6305df4
SHA512

02e13d15783eb9a4d2a17365d2e6c25d2adcd83146a321167ab0477773c7e5c7796a61ad4bfb936358a921e3c9082c5bc16c257b0c6d9f79497d65e6e6c16cae
SSDEEP

98304:5+a6JLjH3dutXJSTP/sAQvA3W2nm+06ZANcu5ej60RZHcZNK3:5+3Jn3wOTPlQ8tm+0OImWIZf3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	irsetup.exe

Loads dropped DLL 4 IoCs

pid	Process
2956	QLCai.exe
2956	QLCai.exe
2956	QLCai.exe
2956	QLCai.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2240-17-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/files/0x000a000000014120-9.dat	upx
behavioral1/files/0x000a000000014120-6.dat	upx
behavioral1/files/0x000a000000014120-5.dat	upx
behavioral1/files/0x000a000000014120-2.dat	upx
behavioral1/memory/2240-28-0x0000000000400000-0x000000000057E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ÆßÀÖ²ÊÖÇÄÜËõË®´óÊ¦ Setup Log.txt	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	irsetup.exe
2240	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17
PID 2956 wrote to memory of 2240	2956	QLCai.exe	17

C:\Users\Admin\AppData\Local\Temp\QLCai.exe
"C:\Users\Admin\AppData\Local\Temp\QLCai.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:653858 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\QLCai.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-3627615824-4061627003-3019543961-1000"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
381KB

MD5
ddf624bb7e2e5fa894caee439aaf5d48

SHA1
8290cbfe043dec3ac61e770851396bd9c4e44a8d

SHA256
6d6e7bf5bf6f78bfe3eb75d1c7efa3a8e46ed86e8a74b8c7d5904a34c5f7647f

SHA512
40d99f810946f19cff06390ef3978aa6d445de698b2944c23881910777649c74b05973f0031c80c8c1e0026fc4efa0077797149fc764f88ea88909b266a02210

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
384KB

MD5
af8ab6cd11c5d6ead4989c6df49a30a8

SHA1
cb2e3f9221d71c9ad0d29c90fcdc37d5eb327919

SHA256
64d2c7641ec9e1a2471b0f88f92dfb76dc3ef3fae8514b6288e61ef8a758d74c

SHA512
a8b8f8de4439f33b0c32afe86814515508745dfbb88cc7fc09db64114033e4c6d3095a40c76c476040bd3d5bcb2f0ded3ada2a36ca43208b25f902316891cc57

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
92KB

MD5
d8a67e88d92f2f5ed1dad2a9060cdf14

SHA1
e526c6fa48255b1af191854529e89ba274371675

SHA256
cad6b07f981610cc392842af500cba889af06463cdf601f92f2ef3a67a369ef9

SHA512
9d3ed901ce8bae4dbb00ccbaede02c412dfb5953177ee7ec3d992b21a9dc7a87578b08f5cde2a5aca3d369c6c8f502c61b1676e4f9cbbd7e33f154ad8e8d871c

Download Submit
memory/2240-17-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2240-28-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2956-15-0x0000000002CA0000-0x0000000002E1E000-memory.dmp

Filesize
1.5MB

Download
memory/2956-14-0x0000000002CA0000-0x0000000002E1E000-memory.dmp

Filesize
1.5MB

Download