Overview
overview
7Static
static
1WPLOCKER.COM.url
windows7-x64
6WPLOCKER.COM.url
windows10-2004-x64
3qalam/asse...ml5.js
windows7-x64
1qalam/asse...ml5.js
windows10-2004-x64
1qalam/asse...end.js
windows7-x64
1qalam/asse...end.js
windows10-2004-x64
1qalam/asse...00.ttf
windows7-x64
3qalam/asse...00.ttf
windows10-2004-x64
7qalam/asse....woff2
windows7-x64
3qalam/asse....woff2
windows10-2004-x64
3qalam/asse...00.ttf
windows7-x64
3qalam/asse...00.ttf
windows10-2004-x64
7qalam/asse....woff2
windows7-x64
3qalam/asse....woff2
windows10-2004-x64
3qalam/asse...00.ps1
windows7-x64
1qalam/asse...00.ps1
windows10-2004-x64
1qalam/incl...umb.js
windows7-x64
1qalam/incl...umb.js
windows10-2004-x64
1qalam/incl...on.ps1
windows7-x64
1qalam/incl...on.ps1
windows10-2004-x64
1qalam/lang...am.pot
windows7-x64
1qalam/lang...am.pot
windows10-2004-x64
1wp-post-mo...min.js
windows7-x64
1wp-post-mo...min.js
windows10-2004-x64
1wp-post-mo...min.js
windows7-x64
1wp-post-mo...min.js
windows10-2004-x64
1wp-post-mo...min.js
windows7-x64
1wp-post-mo...min.js
windows10-2004-x64
1wp-post-mo...end.js
windows7-x64
1wp-post-mo...end.js
windows10-2004-x64
1wp-post-mo...min.js
windows7-x64
1wp-post-mo...min.js
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
WPLOCKER.COM.url
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
WPLOCKER.COM.url
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
qalam/assets/js/html5.js
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
qalam/assets/js/html5.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
qalam/assets/js/qalam.frontend.js
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
qalam/assets/js/qalam.frontend.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
qalam/assets/webfonts/fa-brands-400.ttf
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
qalam/assets/webfonts/fa-brands-400.ttf
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
qalam/assets/webfonts/fa-brands-400.woff2
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
qalam/assets/webfonts/fa-brands-400.woff2
Resource
win10v2004-20231222-en
Behavioral task
behavioral11
Sample
qalam/assets/webfonts/fa-regular-400.ttf
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
qalam/assets/webfonts/fa-regular-400.ttf
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
qalam/assets/webfonts/fa-regular-400.woff2
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
qalam/assets/webfonts/fa-regular-400.woff2
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
qalam/assets/webfonts/fa-solid-900.ps1
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
qalam/assets/webfonts/fa-solid-900.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
qalam/includes/bfi_thumb.js
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
qalam/includes/bfi_thumb.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
qalam/includes/class-tgm-plugin-activation.ps1
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
qalam/includes/class-tgm-plugin-activation.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
qalam/languages/qalam.pot
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
qalam/languages/qalam.pot
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
wp-post-modules-el/assets/js/jquery.easing.min.js
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
wp-post-modules-el/assets/js/jquery.easing.min.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral25
Sample
wp-post-modules-el/assets/js/jquery.marquee.min.js
Resource
win7-20231215-en
Behavioral task
behavioral26
Sample
wp-post-modules-el/assets/js/jquery.marquee.min.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
wp-post-modules-el/assets/js/owl.carousel.min.js
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
wp-post-modules-el/assets/js/owl.carousel.min.js
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
wp-post-modules-el/assets/js/wppm-el.frontend.js
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
wp-post-modules-el/assets/js/wppm-el.frontend.js
Resource
win10v2004-20231222-en
Behavioral task
behavioral31
Sample
wp-post-modules-el/assets/js/wppm-el.frontend.min.js
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
wp-post-modules-el/assets/js/wppm-el.frontend.min.js
Resource
win10v2004-20231222-en
General
-
Target
qalam/assets/webfonts/fa-regular-400.woff2
-
Size
23KB
-
MD5
747442fa76f1d9a31f9a54a2e8a4b448
-
SHA1
07fc0ae14bb3187839082aed3bca11dfb1e04524
-
SHA256
9169d8be7a8177e5a92a4d04b6de7f6504b938573bf4da5889871c4f376d3849
-
SHA512
274dbe5bc31c560d2cc2d15afe5485687b2f7dd0ee24ffed99627310ea36a6a3cc1c91e22368f909d056f4faab051838d469e0bfe8a30169b735aca5eb0f402f
-
SSDEEP
384:Ok8mTTNu15tM1xuB9dYY7YRHmOdjzUJsAr4p8Oq7kpPyXBpqrhDRBybCpMuT33SI:OGg15tM1xuBYY7YRHmcjzUJJr4p8Oq7a
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.woff2\ = "woff2_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\.woff2 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\woff2_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2780 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2780 AcroRd32.exe 2780 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1664 wrote to memory of 2724 1664 cmd.exe rundll32.exe PID 1664 wrote to memory of 2724 1664 cmd.exe rundll32.exe PID 1664 wrote to memory of 2724 1664 cmd.exe rundll32.exe PID 2724 wrote to memory of 2780 2724 rundll32.exe AcroRd32.exe PID 2724 wrote to memory of 2780 2724 rundll32.exe AcroRd32.exe PID 2724 wrote to memory of 2780 2724 rundll32.exe AcroRd32.exe PID 2724 wrote to memory of 2780 2724 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff21⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff22⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\qalam\assets\webfonts\fa-regular-400.woff2"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD571c0ae4f4f4b9de977807c4ac6e7d774
SHA196022369dd5db607c2e158746a5b1aea8a8a6b55
SHA25672f12763aa307522d84c09ef47e6daf28228c4e55c49b1787a0f584edcef048e
SHA512543534f24ba4b0fd01095204ce132646eaf7f8d0f95f36d0c02fc4d25438c34fca7e7563dc6121b09c0a34309c08ed090f19c52e2709e48f8a1e41c58fc11ad0