Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 03:11
Static task
static1
Behavioral task
behavioral1
Sample
XLQI.exe
Resource
win7-20231215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
XLQI.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
XLQI.exe
-
Size
1.4MB
-
MD5
4efc7c1381ad38d44c813429602324bb
-
SHA1
ffb7f1d5343a76e9ace0a9b5211adbaaf932678f
-
SHA256
caae3a24c2f02c86cff5fcc3d720078ebbe85eaad9dee68a4ba03d16a212dbb4
-
SHA512
aa171264e03035863a63913994350f9adf52723ead094535473587cda1c1020c8fdb4129d17b79f4012104ba47740f1c07fc1bb438ad832307fb47f85ea2046d
-
SSDEEP
24576:03dhgAYmYqHU7pHYev00V6dCDdoVYdGp8VTALtMa6P:3mYqHU7pHYY00VcCDdowG3tMa6P
Score
5/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2888 set thread context of 2976 2888 XLQI.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 4292 2888 WerFault.exe 83 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe 2888 XLQI.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
pid Process 2888 XLQI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84 PID 2888 wrote to memory of 2976 2888 XLQI.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\XLQI.exe"C:\Users\Admin\AppData\Local\Temp\XLQI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵PID:2976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 4962⤵
- Program crash
PID:4292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2888 -ip 28881⤵PID:408