7921ea0672bb1ab083fbbc18b2487e57d91edc93d09162457700714e5fb52084

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0b3356655f8495fdc17d97802aaf31.exe
Size

224KB
MD5

ac0b3356655f8495fdc17d97802aaf31
SHA1

cf6d831f812666485612ac85c2649658454d731d
SHA256

7921ea0672bb1ab083fbbc18b2487e57d91edc93d09162457700714e5fb52084
SHA512

d2fa88c998c41c6ee126d0d3f3a1ae19c34d97b01af1f84d4eb928caa464299b429f19ae42dfeca7fa3e4118ba1a52dcb6fc74de940c16b2b7d0b56069967740
SSDEEP

3072:z+dXwfjdGl5nf1pmylYKmanlVl/vuxlil5iA6SfMhLgTVBJvna+dXwVSnE3:z+yfQ5nlliqlVJ7fiA6qsgT5a+yVCE3

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	qzrSJUcPyR.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	qzrSJUcPyR.exe
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	qzrSJUcPyR.exe
2380	iMpk6n8OpS.exe

Loads dropped DLL 10 IoCs

pid	Process
1624	ac0b3356655f8495fdc17d97802aaf31.exe
1624	ac0b3356655f8495fdc17d97802aaf31.exe
1624	ac0b3356655f8495fdc17d97802aaf31.exe
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d32-17.dat	upx
behavioral1/files/0x0007000000016d16-13.dat	upx
behavioral1/memory/2380-21-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-34-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-35-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-36-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-50-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-51-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-53-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-55-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-56-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-58-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2380-59-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	qzrSJUcPyR.exe
File opened for modification	C:\autorun.inf	qzrSJUcPyR.exe
File created	F:\autorun.inf	qzrSJUcPyR.exe
File opened for modification	F:\autorun.inf	qzrSJUcPyR.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	qzrSJUcPyR.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpi.dll	qzrSJUcPyR.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2860	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2692	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2372	taskkill.exe
2784	taskkill.exe
2396	taskkill.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe
2312	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2312	rundll32.exe
Token: SeDebugPrivilege	2312	rundll32.exe
Token: SeDebugPrivilege	2312	rundll32.exe
Token: SeDebugPrivilege	2312	rundll32.exe
Token: SeDebugPrivilege	2312	rundll32.exe
Token: SeDebugPrivilege	2312	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe
2380	iMpk6n8OpS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2936	1624	ac0b3356655f8495fdc17d97802aaf31.exe	28
PID 1624 wrote to memory of 2936	1624	ac0b3356655f8495fdc17d97802aaf31.exe	28
PID 1624 wrote to memory of 2936	1624	ac0b3356655f8495fdc17d97802aaf31.exe	28
PID 1624 wrote to memory of 2936	1624	ac0b3356655f8495fdc17d97802aaf31.exe	28
PID 1624 wrote to memory of 2952	1624	ac0b3356655f8495fdc17d97802aaf31.exe	30
PID 1624 wrote to memory of 2952	1624	ac0b3356655f8495fdc17d97802aaf31.exe	30
PID 1624 wrote to memory of 2952	1624	ac0b3356655f8495fdc17d97802aaf31.exe	30
PID 1624 wrote to memory of 2952	1624	ac0b3356655f8495fdc17d97802aaf31.exe	30
PID 1624 wrote to memory of 2480	1624	ac0b3356655f8495fdc17d97802aaf31.exe	31
PID 1624 wrote to memory of 2480	1624	ac0b3356655f8495fdc17d97802aaf31.exe	31
PID 1624 wrote to memory of 2480	1624	ac0b3356655f8495fdc17d97802aaf31.exe	31
PID 1624 wrote to memory of 2480	1624	ac0b3356655f8495fdc17d97802aaf31.exe	31
PID 2952 wrote to memory of 2564	2952	qzrSJUcPyR.exe	33
PID 2952 wrote to memory of 2564	2952	qzrSJUcPyR.exe	33
PID 2952 wrote to memory of 2564	2952	qzrSJUcPyR.exe	33
PID 2952 wrote to memory of 2564	2952	qzrSJUcPyR.exe	33
PID 2952 wrote to memory of 2576	2952	qzrSJUcPyR.exe	35
PID 2952 wrote to memory of 2576	2952	qzrSJUcPyR.exe	35
PID 2952 wrote to memory of 2576	2952	qzrSJUcPyR.exe	35
PID 2952 wrote to memory of 2576	2952	qzrSJUcPyR.exe	35
PID 2952 wrote to memory of 2548	2952	qzrSJUcPyR.exe	36
PID 2952 wrote to memory of 2548	2952	qzrSJUcPyR.exe	36
PID 2952 wrote to memory of 2548	2952	qzrSJUcPyR.exe	36
PID 2952 wrote to memory of 2548	2952	qzrSJUcPyR.exe	36
PID 2952 wrote to memory of 2508	2952	qzrSJUcPyR.exe	37
PID 2952 wrote to memory of 2508	2952	qzrSJUcPyR.exe	37
PID 2952 wrote to memory of 2508	2952	qzrSJUcPyR.exe	37
PID 2952 wrote to memory of 2508	2952	qzrSJUcPyR.exe	37
PID 2952 wrote to memory of 2296	2952	qzrSJUcPyR.exe	38
PID 2952 wrote to memory of 2296	2952	qzrSJUcPyR.exe	38
PID 2952 wrote to memory of 2296	2952	qzrSJUcPyR.exe	38
PID 2952 wrote to memory of 2296	2952	qzrSJUcPyR.exe	38
PID 2952 wrote to memory of 2600	2952	qzrSJUcPyR.exe	42
PID 2952 wrote to memory of 2600	2952	qzrSJUcPyR.exe	42
PID 2952 wrote to memory of 2600	2952	qzrSJUcPyR.exe	42
PID 2952 wrote to memory of 2600	2952	qzrSJUcPyR.exe	42
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 1624 wrote to memory of 2380	1624	ac0b3356655f8495fdc17d97802aaf31.exe	45
PID 2508 wrote to memory of 2372	2508	cmd.exe	46
PID 2508 wrote to memory of 2372	2508	cmd.exe	46
PID 2508 wrote to memory of 2372	2508	cmd.exe	46
PID 2508 wrote to memory of 2372	2508	cmd.exe	46
PID 2564 wrote to memory of 1896	2564	cmd.exe	51
PID 2564 wrote to memory of 1896	2564	cmd.exe	51
PID 2564 wrote to memory of 1896	2564	cmd.exe	51
PID 2564 wrote to memory of 1896	2564	cmd.exe	51
PID 2576 wrote to memory of 2428	2576	cmd.exe	50
PID 2576 wrote to memory of 2428	2576	cmd.exe	50
PID 2576 wrote to memory of 2428	2576	cmd.exe	50
PID 2576 wrote to memory of 2428	2576	cmd.exe	50
PID 2296 wrote to memory of 2784	2296	cmd.exe	47
PID 2296 wrote to memory of 2784	2296	cmd.exe	47
PID 2296 wrote to memory of 2784	2296	cmd.exe	47
PID 2296 wrote to memory of 2784	2296	cmd.exe	47
PID 2548 wrote to memory of 2860	2548	cmd.exe	49
PID 2548 wrote to memory of 2860	2548	cmd.exe	49
PID 2548 wrote to memory of 2860	2548	cmd.exe	49
PID 2548 wrote to memory of 2860	2548	cmd.exe	49
PID 2600 wrote to memory of 2396	2600	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\ac0b3356655f8495fdc17d97802aaf31.exe
"C:\Users\Admin\AppData\Local\Temp\ac0b3356655f8495fdc17d97802aaf31.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\AB0MQoTJWZ.exe" /b + "C:\Users\Admin\AppData\Local\Temp\FcEzDR3WvU.exe" /b "C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe
  "C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows /e /p everyone:f
      4⤵
      PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config ekrn start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      4⤵
      Launches sc.exe
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ekrn.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im egui.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ScanFrm.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ScanFrm.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2396
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe func.dll, droqp
    3⤵
    - Drops file in Drivers directory
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\dJ1Rv7e2yB.exe" /b + "C:\Users\Admin\AppData\Local\Temp\IIeBkAvnur.exe" /b "C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe"
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe
  "C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB0MQoTJWZ.exe

Filesize
7KB

MD5
bf175abf9b3848f9b8aebac5279e1e6f

SHA1
43a921fec131cbff96fc2cb6fca220b6ff127c77

SHA256
c28e1c1787dda9162ed132ed6d8f457b428a89dd99e6c8e983a8f80c82d55c92

SHA512
4f93e87eb70b501e45d63a9e8fdcafcc68780beb3870d0d1f5cb43d50cf108dfe474140ea833c45ea29d652f3fc13141bb31529358e39a3835c19e4c9e0f5857

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcEzDR3WvU.exe

Filesize
23KB

MD5
2e3db118057de35b97dfc986c01084ba

SHA1
807e329cd0035a51bb9065871af28e844193bcf2

SHA256
176a68056f3b16e54209a98d2374ff6a39942784f9b750db79e2f28a39cd639a

SHA512
82fbae2acf131ca7b11dc8f3a740a2dd93bad0144d8cf06fa7b2f65b572cab94177bc1e399238afb9138218a449672232c57e3755cdb0b6a3db905182bbee5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIeBkAvnur.exe

Filesize
111KB

MD5
ab7963a577bc794adbe10e69168b9107

SHA1
81c52982c67209a5c152744e219abe9b590405f6

SHA256
0de4dac796e1f1d8dc82ecf9a51ba7b4b1efa505f41a390865a47581b5fbac45

SHA512
08ab72f860e512dea72064cb91b0c7a69a49bbfa038b3456146de72e63ae11ae803e1471675b2d04e7b90a70400e55e4aa1f9f7585e4f324bb9f0ff90470a9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJ1Rv7e2yB.exe

Filesize
37KB

MD5
252c962456a39e6f5530a58e275b420f

SHA1
476432e95fefea0086c909de2f65a351cd08cdbd

SHA256
0dadb72529f88caf5ae5b830e9fd8ca8c402a83c5de73230133030fdd69eff9f

SHA512
c81ffc2b40a05c079d25d574de608310a804761efc41b37872cf2585115da32370a814dd849370104e6d9356a14c0e47a67a97ef53eb21e638661c7b9f2022b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe

Filesize
148KB

MD5
0479311230d8c1ad3eb178017f92ad46

SHA1
f85b62f772581fa1dc37a6fc7e4573f85ab77d5b

SHA256
ca4056e219b5ee927564e0313fa419a2b18c88f44f783801e7cc9788aaec76e5

SHA512
b286e70529f341de9ae30fa2b8dcd64117a65df28ade1072d78702c0d18faed1bc74cee09ab787ac84d791390102652b42c5192955070a5d5be28fcf61c1e1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe

Filesize
31KB

MD5
fa960759a464975598ba0f93485eefae

SHA1
65be380acd4fa50ecf3a7d0ed23c23352a2965a1

SHA256
84305a121d3b0416eca553783a85d2f87522a7505ac33cac3c31aa4145b21073

SHA512
faadb09f84e0fd6086c3b7729fe25902f4491668a726f941f3d2bb28c6f84b92f6839b95fcca271ba01df6974c30f9eead9c5242c70cb1c110209b55218be3e8

Download Submit
\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
c85207363e93eb7c08097f407d4d78b1

SHA1
347b295069f693b2da817fd34560de985171e6a6

SHA256
a52c67b010b407f94d8a3455dbe5042587e4451bf69260684886f79097ff7da8

SHA512
b233e59706cbe4b80ff48bec51b4b2e60daff90a98ddab729dc1c090f1187b6dd8a591f674f5ef43c994b93f5bb6812fc9275f1d4d0c77ec9fee240e93d81b3d

Download Submit
memory/1624-11-0x0000000000710000-0x0000000000733000-memory.dmp

Filesize
140KB

Download
memory/1624-12-0x0000000000710000-0x0000000000733000-memory.dmp

Filesize
140KB

Download
memory/1624-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-26-0x0000000003180000-0x0000000003384000-memory.dmp

Filesize
2.0MB

Download
memory/2380-50-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-59-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-34-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-35-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-36-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-25-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/2380-51-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-53-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-55-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-56-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2380-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2952-16-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download