6c74e50ceaa637126b99063629235109343c9d26a47b5600b8ab0d89d7718b8e

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e567e801406427827e509bf37646d52.exe
Size

424KB
MD5

1e567e801406427827e509bf37646d52
SHA1

726221e2a319c2e6ce28117519239740d79dc04f
SHA256

6c74e50ceaa637126b99063629235109343c9d26a47b5600b8ab0d89d7718b8e
SHA512

ce2e4d5aa6dbe95a4f7729c5467cb6a639542e057c29aa7a0b28dc932d1076d52519739fe16097e69af195f2871b247aa226b6014c53ca633ea18f64483911ca
SSDEEP

12288:+isrem3UQJ50J8HCpiz71c2E1GvGc62e:+isrDo8iM15Gca

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IwTQJSaLxi.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1820	IwTQJSaLxi.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	1e567e801406427827e509bf37646d52.exe
3056	1e567e801406427827e509bf37646d52.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3056-3-0x0000000000600000-0x0000000000671000-memory.dmp	upx
behavioral1/memory/1820-20-0x0000000000600000-0x0000000000671000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\IwTQJSaLxi = "C:\\ProgramData\\IwTQJSaLxi.exe"	1e567e801406427827e509bf37646d52.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	attrib.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	attrib.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\prnky307.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mmc.exe.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\netid.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mydocs.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\CNBBR325.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\scsidev.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNB_0337.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\prnkm005.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\Amd64\LME240N.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV80606.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\lsi_sas2.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\AuxiliaryDisplayCpl.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wpdshext.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\da-DK\mlang.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL0L.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600t.gpd	attrib.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001e\_setup.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\STEXSTOR.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\prnms002.cat	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msinfo32.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\prnky009.PNF	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mstscax.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IFC7500.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\FirewallAPI.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SV1506.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumE	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iirsp.inf_amd64_neutral_25c14d33af7f54f1	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\devmgmt.msc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\ts_wpdmtp.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wmerror.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180	attrib.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\L2SecHC.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\FirewallControlPanel.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\icmui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\MFReadWrite.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSRWN7.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmirmdm.inf_amd64_neutral_fadec14b0a37b637\mdmirmdm.inf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1321E3.PPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\hcw85c64.PNF	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\Amd64\LXX854e.gpd	attrib.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\gpupdate.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\Amd64\EP0NGAAA.GPD	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\EventCreate.exe.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\cxfalcon_IBV64.sys	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\CNBP_329.DLL	attrib.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\license.rtf	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msports.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\colorui.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\DDORes.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wsecedit.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPBPROPS.DLL	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\kscaptur.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\imapi.dll.mui	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzprw71.dll	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx002.inf_loc	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\Amd64\RIAADC45.GPD	attrib.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\ql40xx.inf_loc	attrib.exe
File opened for modification	C:\Windows\SysWOW64\en-US\termmgr.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\capiprovider.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\user32.dll.mui	attrib.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\waitfor.exe.mui	attrib.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui	attrib.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\RIPPLE.ELM	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWCUTLIN.DLL	attrib.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00686_.WMF	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js	attrib.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\bin\fontmanager.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\TOOLICON.ICO	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF	attrib.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\THMBNAIL.PNG	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105244.WMF	attrib.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES	attrib.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png	attrib.exe
File opened for modification	C:\Program Files\Mozilla Firefox\msvcp140.dll	attrib.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo	attrib.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort	attrib.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00641_.WMF	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina	attrib.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	attrib.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html	attrib.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui	attrib.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index	attrib.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr	attrib.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\WindowsFirewall.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Branding-Ultimate-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Shell-MultiplayerInboxGames-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\Boot\EFI\it-IT\memtest.efi.mui	attrib.exe
File opened for modification	C:\Windows\Fonts\trebucbi.ttf	attrib.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\itpro.h1s	attrib.exe
File opened for modification	C:\Windows\inf\wsdprint.PNF	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\goAmerica.browser	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\0b9fa58118c038e11f12fafefc9e7bb1\PresentationFramework-SystemXml.ni.dll.aux	attrib.exe
File opened for modification	C:\Windows\ehome\fr-FR\ehSidebarRes.dll.mui	attrib.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0011\_TransactionBridgePerfCounters.ini	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\WindowsAnytimeUpgrade.admx	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.Configuration.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\ja\SqlPersistenceProviderSchema.sql	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\Search.adml	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\3082	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	attrib.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\ai031033.am	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehRecObj\6.1.0.0__31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Services.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\de\WsatConfig.resources.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\XamlBuildTask.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe.config	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFramewo#\1badf57680aebab32f17bc080876b61d\PresentationFramework.Classic.ni.dll	attrib.exe
File opened for modification	C:\Windows\Fonts\browai.ttf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1041	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\es\Microsoft.Transactions.Bridge.Dtc.Resources.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Winsrv.adml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-LanguagePack-Package-wrapper~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~nl-NL~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35	attrib.exe
File opened for modification	C:\Windows\inf\.NETFramework\0000\corperfmonsymbols_D.ini	attrib.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0011\aspnet_perf.ini	attrib.exe
File opened for modification	C:\Windows\inf\atiilhag.PNF	attrib.exe
File opened for modification	C:\Windows\inf\ASP.NET\0001\aspnet_perf2.ini	attrib.exe
File opened for modification	C:\Windows\inf\faxcn001.inf	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\locale.nlp	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Speech	attrib.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\53cf54ff35686c4044952a8cf8b8021e	attrib.exe
File opened for modification	C:\Windows\diagnostics\index\AudioRecordingDiagnostic.xml	attrib.exe
File opened for modification	C:\Windows\Fonts\meiryob.ttc	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\touch.h1s	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\SetupResources.dll	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationClient.dll	attrib.exe
File opened for modification	C:\Windows\PolicyDefinitions\TabletPCInputPanel.admx	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.identitymodel.resources\3.0.0.0_it_b77a5c561934e089	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.resources\3.0.0.0_es_31bf3856ad364e35\System.Printing.resources.dll	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll	attrib.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Excel.config	attrib.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets	attrib.exe
File opened for modification	C:\Windows\servicing\Editions\StarterEdition.xml	attrib.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~fr-FR~7.1.7601.16492.mum	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.de.resx	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Download	1e567e801406427827e509bf37646d52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	1e567e801406427827e509bf37646d52.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
3056	1e567e801406427827e509bf37646d52.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe
1820	IwTQJSaLxi.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	1e567e801406427827e509bf37646d52.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 1820	3056	1e567e801406427827e509bf37646d52.exe	23
PID 3056 wrote to memory of 1820	3056	1e567e801406427827e509bf37646d52.exe	23
PID 3056 wrote to memory of 1820	3056	1e567e801406427827e509bf37646d52.exe	23
PID 3056 wrote to memory of 1820	3056	1e567e801406427827e509bf37646d52.exe	23
PID 1820 wrote to memory of 2796	1820	IwTQJSaLxi.exe	33
PID 1820 wrote to memory of 2796	1820	IwTQJSaLxi.exe	33
PID 1820 wrote to memory of 2796	1820	IwTQJSaLxi.exe	33
PID 1820 wrote to memory of 2796	1820	IwTQJSaLxi.exe	33
PID 1820 wrote to memory of 2836	1820	IwTQJSaLxi.exe	40
PID 1820 wrote to memory of 2836	1820	IwTQJSaLxi.exe	40
PID 1820 wrote to memory of 2836	1820	IwTQJSaLxi.exe	40
PID 1820 wrote to memory of 2836	1820	IwTQJSaLxi.exe	40
PID 1820 wrote to memory of 2840	1820	IwTQJSaLxi.exe	38
PID 1820 wrote to memory of 2840	1820	IwTQJSaLxi.exe	38
PID 1820 wrote to memory of 2840	1820	IwTQJSaLxi.exe	38
PID 1820 wrote to memory of 2840	1820	IwTQJSaLxi.exe	38
PID 1820 wrote to memory of 2884	1820	IwTQJSaLxi.exe	37
PID 1820 wrote to memory of 2884	1820	IwTQJSaLxi.exe	37
PID 1820 wrote to memory of 2884	1820	IwTQJSaLxi.exe	37
PID 1820 wrote to memory of 2884	1820	IwTQJSaLxi.exe	37

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1e567e801406427827e509bf37646d52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	1e567e801406427827e509bf37646d52.exe

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2836	attrib.exe
2796	attrib.exe
2884	attrib.exe
2840	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1e567e801406427827e509bf37646d52.exe
"C:\Users\Admin\AppData\Local\Temp\1e567e801406427827e509bf37646d52.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3056
- C:\ProgramData\IwTQJSaLxi.exe
  "C:\ProgramData\IwTQJSaLxi.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\Users\Admin\*.* " /s /d
    3⤵
    - Views/modifies file attributes
    PID:2796
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "F:\*.*" /s /d
    3⤵
    - Views/modifies file attributes
    PID:2884
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\*.*" /s /d
    3⤵
    - Drops file in Drivers directory
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:2840
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d
    3⤵
    - Views/modifies file attributes
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IwTQJSaLxi.exe

Filesize
45KB

MD5
3775c66f3b844cb4369a837b594f33d7

SHA1
bba555c5c56ec841fe22597103b5b7f0d2628c79

SHA256
efbc3e9974e542d788fb3cff1e1ddfa54635265fe6b057caa7b3d83729e317c6

SHA512
d1e1ca1e7e5b26479f57da5d6d5a56180a14cd2ead3c5582da16221e7a6592e3813ebe1f9ae9c9417d2bbe05440de10e37a8a6af4677ded0e9034c7c49b86825

Download Submit
C:\ProgramData\IwTQJSaLxi.exe

Filesize
316KB

MD5
21bc5799a2e16999b87fc8ffa8d0eb24

SHA1
73ac2bfa1eef0415ca39ca0e601095e8b54458b6

SHA256
45296d1f4a2bad91c8467014a5ca92bade5a571c19fe47d77e779f864d749c24

SHA512
546ef0c9394e1628620ab92fc8991c4d47d6d42846c724f7bde732671aa5956dce57669a92f405dd9d5e64eb46f422a7d4c0ae24659a311aeeecb8c8c65bc40c

Download Submit
C:\ProgramData\IwTQJSaLxi.exe

Filesize
129KB

MD5
538a4d1f12dd1d9326a2e63f2e0e8cf1

SHA1
f22058918a063bbda9561fd249b3b68b65cf4eae

SHA256
0cad6dc39008ec49141cffb8f210cba3c164c19bca815d776ea1870d05a11f0b

SHA512
de84772d4ed05f230a054d82be9018117c3686c952533a57c1228107f9e6c6dfb0668a4edb5e7dcb0ddff383208109adc78f2faf83ee57013f73c14db409870b

Download Submit
\ProgramData\IwTQJSaLxi.exe

Filesize
96KB

MD5
96536d747aeb6dfcf676f9f10368fd38

SHA1
ffdc57ba337093309de817b00b6811fd8d9e3bb6

SHA256
c02bed6c725b85afc0cac72ac054395fbc7309692acbffa0c9f06078fe20029b

SHA512
b6130f99f027d40ac31b7a27f622a6ed420dfe04c975111eb857f314b03bc7f795b000c6f44278849ee4dba28ac6256c7136050237fa3ff9618f2eef90275063

Download Submit
\ProgramData\IwTQJSaLxi.exe

Filesize
141KB

MD5
aeeee05f346e15f1e5ad0185ada7c45e

SHA1
c80c9d92f54e7c89f7b2f4fbc805d5cb0c00791c

SHA256
baa2fa7b7c6548db447f4311db9506c8c3385218ef9c06858412a9e3e94e4af5

SHA512
b855d4fa4fce3313f279c1d78f44378d3bad50b37fc21261a4c2008b53e878efc57cbb6968427d63faeb8651a88f6757c9dea9ac2fc4cdc6f9562b26768cb25b

Download Submit
memory/1820-13-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/1820-17-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/1820-20-0x0000000000600000-0x0000000000671000-memory.dmp

Filesize
452KB

Download
memory/3056-1-0x0000000000600000-0x0000000000671000-memory.dmp

Filesize
452KB

Download
memory/3056-3-0x0000000000600000-0x0000000000671000-memory.dmp

Filesize
452KB

Download
memory/3056-0-0x0000000000440000-0x000000000049B000-memory.dmp

Filesize
364KB

Download
memory/3056-16-0x0000000000440000-0x000000000049B000-memory.dmp

Filesize
364KB

Download