adfea118626d039df9b85e4883893ecd5739db471df35bcad218f6776320019c

General

Target

7e3153075809929b5f9057852911a159.exe
Size

526KB
MD5

7e3153075809929b5f9057852911a159
SHA1

8cac2d077d6a0341aa530b0e7a606563f04a0842
SHA256

adfea118626d039df9b85e4883893ecd5739db471df35bcad218f6776320019c
SHA512

ac3686bfe81f187d144bc7a4f2b973d84a64354856e3654109b42e2d0be3bc03c2213098bd6c3ab2ee9a40d0006217721e1d500a6d6d2215093384d3002bfbd6
SSDEEP

12288:abupo70X4yQySH6u40Prkl84/0zGoPqLbI16MMcxwireV:ak+0Xh46N+2czaPE6MHxw7

Score

8^/10

persistence upx

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	qvodsetuls6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "services.exe"	qvodsetuls6.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7e3153075809929b5f9057852911a159.exe

Executes dropped EXE 3 IoCs

pid	Process
1876	QvodSetup5.exe
2436	qvodsetuls6.exe
3884	~24070446.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002312d-5.dat	upx
behavioral2/memory/1876-18-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/files/0x0008000000023131-16.dat	upx
behavioral2/memory/2436-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1876-30-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/2436-31-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1876-32-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/1876-33-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/2436-34-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1876-35-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/2436-36-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2436-46-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1876-49-0x0000000000400000-0x00000000004E7000-memory.dmp	upx
behavioral2/memory/1876-57-0x0000000000400000-0x00000000004E7000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Windows\\system32\\3mHvM.exe"	qvodsetuls6.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3mHvM.exe	qvodsetuls6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
2436	qvodsetuls6.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe
3884	~24070446.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	qvodsetuls6.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1876	QvodSetup5.exe
1876	QvodSetup5.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1876	QvodSetup5.exe
1876	QvodSetup5.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1876	3624	7e3153075809929b5f9057852911a159.exe	83
PID 3624 wrote to memory of 1876	3624	7e3153075809929b5f9057852911a159.exe	83
PID 3624 wrote to memory of 1876	3624	7e3153075809929b5f9057852911a159.exe	83
PID 3624 wrote to memory of 2436	3624	7e3153075809929b5f9057852911a159.exe	84
PID 3624 wrote to memory of 2436	3624	7e3153075809929b5f9057852911a159.exe	84
PID 3624 wrote to memory of 2436	3624	7e3153075809929b5f9057852911a159.exe	84
PID 2436 wrote to memory of 3884	2436	qvodsetuls6.exe	93
PID 2436 wrote to memory of 3884	2436	qvodsetuls6.exe	93
PID 2436 wrote to memory of 3884	2436	qvodsetuls6.exe	93
PID 3884 wrote to memory of 2616	3884	~24070446.exe	94
PID 3884 wrote to memory of 2616	3884	~24070446.exe	94
PID 3884 wrote to memory of 2616	3884	~24070446.exe	94

C:\Users\Admin\AppData\Local\Temp\7e3153075809929b5f9057852911a159.exe
"C:\Users\Admin\AppData\Local\Temp\7e3153075809929b5f9057852911a159.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\qvodsetuls6.exe
  "C:\Users\Admin\AppData\Local\Temp\qvodsetuls6.exe"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\~24070446.exe
    C:\Users\Admin\AppData\Local\Temp\~24070446.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QvodSetup5.exe

Filesize
540KB

MD5
59e20e2ec60d5946ad54b64a3deb1c83

SHA1
7027c9308b7b2d14ff9fd7b81efa81a1c9a0ec68

SHA256
538c299746b0afa502968f74f13220069a204e06d008c429a19762ee7ae097bc

SHA512
283824f4d63fdef8eba6a078dc7dcaff401cc13aee6e3c970f0505772b4b1525e2ad805dc2e90b3140f3d9523ea7db575eaf860db60f6c2b4a8edb289d447aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qvodsetuls6.exe

Filesize
29KB

MD5
5550879adc6a6ebf760cf296f9172f1c

SHA1
ab201c39912c03676879b8e62c60c767cc28e6c8

SHA256
dac91f0fcc4efb31c8ce2dddb3480ed90f8497cc944e6f3c433a2fc921fdbf8c

SHA512
0edc06c780285fb1ab5b55d2f63ace3960da5330f2a92566dd7297411deee5235ec0ea03af3f51096db75ee76d05b8ec47974789799bfdeffda3e8645f51fa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\~24070446.exe

Filesize
8KB

MD5
94ec28c475c828a7ba7f53e8a72de448

SHA1
5df58c1c609a04f750d7967510d305867c6748ed

SHA256
4150ca7cdbc9bc46c835e4aa230648f1ba497cff0a6b102aa97cdfbe433347b0

SHA512
7a5c45baaac5b960fdf2b11b06e3818744878ae9d3dcdfa0a535f4ac43cf6fa7117b75d2512c669d3ba81d4e4e49e4d054b2dec9c8d9da5daa65b9027187080c

Download Submit
memory/1876-35-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-18-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-57-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-49-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-23-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1876-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-32-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1876-33-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2436-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3624-22-0x0000000000400000-0x000000000048536D-memory.dmp

Filesize
532KB

Download
memory/3624-0-0x0000000000400000-0x000000000048536D-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads