a1d303b353df28ed366a8fc944d93cacf25f328d63e2b95c30b188410a6894df

Resubmissions

12/01/2024, 05:35

240112-gactqsgcf6 7

12/01/2024, 05:30

240112-f7lx8sfdbm 7

12/01/2024, 05:25

240112-f4aqssfcej 7

Analysis

max time kernel
148s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-es
resource tags

arch:x64arch:x86image:win10v2004-20231222-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
12/01/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quest Games Optimizer 9.2.1 -NIF(1).zip
Size

17.7MB
MD5

3d75fc8cd700fab64697eb8357dedbf8
SHA1

e2f4360f7bc0bf78acdd4e5beb7f8667480be30f
SHA256

a1d303b353df28ed366a8fc944d93cacf25f328d63e2b95c30b188410a6894df
SHA512

f2baecdf7b6cbcec1e40a626a8845bed4994a1994d670fd9acda74ed0bbc3ab8844421b002531c97e34acc3cb938e5e45948869bad93a6fc6a60cac897169371
SSDEEP

393216:gOugtpTm5/sUOaaegtMnYjRtkpkmMbRlV8+sgtvz9BZpuS:zLpTzPhMe8kPlegpBPN

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3636-0-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral1/memory/3636-3-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral1/memory/3636-11-0x0000000140000000-0x000000014002F000-memory.dmp	upx
behavioral1/memory/2064-16-0x0000000140000000-0x000000014002F000-memory.dmp	upx

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4836	3636	全自动安装.exe	113
PID 3636 wrote to memory of 4836	3636	全自动安装.exe	113
PID 4836 wrote to memory of 2088	4836	cmd.exe	112
PID 4836 wrote to memory of 2088	4836	cmd.exe	112
PID 4836 wrote to memory of 2088	4836	cmd.exe	112
PID 2088 wrote to memory of 3372	2088	adb.exe	118
PID 2088 wrote to memory of 3372	2088	adb.exe	118
PID 2088 wrote to memory of 3372	2088	adb.exe	118
PID 4836 wrote to memory of 5076	4836	cmd.exe	119
PID 4836 wrote to memory of 5076	4836	cmd.exe	119
PID 4836 wrote to memory of 5076	4836	cmd.exe	119
PID 2064 wrote to memory of 3704	2064	全自动安装.exe	127
PID 2064 wrote to memory of 3704	2064	全自动安装.exe	127
PID 3704 wrote to memory of 1668	3704	cmd.exe	126
PID 3704 wrote to memory of 1668	3704	cmd.exe	126
PID 3704 wrote to memory of 1668	3704	cmd.exe	126
PID 1668 wrote to memory of 4928	1668	adb.exe	128
PID 1668 wrote to memory of 4928	1668	adb.exe	128
PID 1668 wrote to memory of 4928	1668	adb.exe	128
PID 3704 wrote to memory of 4140	3704	cmd.exe	129
PID 3704 wrote to memory of 4140	3704	cmd.exe	129
PID 3704 wrote to memory of 4140	3704	cmd.exe	129

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Quest Games Optimizer 9.2.1 -NIF(1).zip"
1⤵
PID:2408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4048

C:\Users\Admin\Desktop\全自动安装.exe
"C:\Users\Admin\Desktop\全自动安装.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\65BA.tmp\65BB.tmp\65BC.bat C:\Users\Admin\Desktop\全自动安装.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Users\Admin\Desktop\adb\adb.exe
    "adb\adb.exe" kill-server
    3⤵
    PID:5076

C:\Users\Admin\Desktop\adb\adb.exe
"adb\adb.exe" install "com.anagan.qgp.apk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\Desktop\adb\adb.exe
  adb -L tcp:5037 fork-server server --reply-fd 600
  2⤵
  PID:3372

C:\Users\Admin\Desktop\全自动安装.exe
"C:\Users\Admin\Desktop\全自动安装.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4368.tmp\4369.tmp\436A.bat C:\Users\Admin\Desktop\全自动安装.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\Desktop\adb\adb.exe
    "adb\adb.exe" kill-server
    3⤵
    PID:4140

C:\Users\Admin\Desktop\adb\adb.exe
"adb\adb.exe" install "com.anagan.qgp.apk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\Desktop\adb\adb.exe
  adb -L tcp:5037 fork-server server --reply-fd 572
  2⤵
  PID:4928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.android\adbkey

Filesize
1KB

MD5
3731a291bdf808b019885a2562023845

SHA1
5a38496c1290e0ac600786c57cc5d66e4c21794e

SHA256
4e995eec726febf036862c61d4861d6e475c59816116772fe95d96b931925087

SHA512
73c7725193f8864fefccb6710ee83857df301436fb3eb1a700db569286ceb4f4d080e1f3a59387d15ab0c9fdda8951c8b07b5e1dc7656aba3904562f53f30024

Download Submit
C:\Users\Admin\AppData\Local\Temp\4368.tmp\4369.tmp\436A.bat

Filesize
435B

MD5
2f68a3064dcbc3c25ed677cf9f8b3729

SHA1
9fad2e5c9752ec30cd32f2f7c23cb5a52566766a

SHA256
0a423e84702d81e85c2a8313fc0ea261ccb61ce1f255c1955f72505b76646163

SHA512
3782942518bb897455c5435892b732af8ef487cbe5799f0e3c20e28d76d4f619d51c09f2f17a1be3a7a509344f5050d82dd2aa7a64d961a8281f7843fa1c615b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adb.log

Filesize
1009B

MD5
8dd69046854eb2bbc2eeea9ad8d32009

SHA1
43e4f00cede5823c5968dc8d3f5cec8ff20d1f60

SHA256
0d1f713947dd6a283cbeff4b82f1eae501d676af2a94e3d157bca57178dedac2

SHA512
5d6dc58668168258bd453ed93ffc68a8a88c139f95e6eaedbcbac348cb1f384568e7c4cd58dd4869d8dbd59dd4efb9adefce54bbc1ba65bf43fb6913a4c5a063

Download Submit
memory/2064-16-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3636-0-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3636-3-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download
memory/3636-11-0x0000000140000000-0x000000014002F000-memory.dmp

Filesize
188KB

Download