7921ea0672bb1ab083fbbc18b2487e57d91edc93d09162457700714e5fb52084

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0b3356655f8495fdc17d97802aaf31.exe
Size

224KB
MD5

ac0b3356655f8495fdc17d97802aaf31
SHA1

cf6d831f812666485612ac85c2649658454d731d
SHA256

7921ea0672bb1ab083fbbc18b2487e57d91edc93d09162457700714e5fb52084
SHA512

d2fa88c998c41c6ee126d0d3f3a1ae19c34d97b01af1f84d4eb928caa464299b429f19ae42dfeca7fa3e4118ba1a52dcb6fc74de940c16b2b7d0b56069967740
SSDEEP

3072:z+dXwfjdGl5nf1pmylYKmanlVl/vuxlil5iA6SfMhLgTVBJvna+dXwVSnE3:z+yfQ5nlliqlVJ7fiA6qsgT5a+yVCE3

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\acpiec.sys	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	qzrSJUcPyR.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	qzrSJUcPyR.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	ac0b3356655f8495fdc17d97802aaf31.exe

Executes dropped EXE 2 IoCs

pid	Process
1428	qzrSJUcPyR.exe
1088	iMpk6n8OpS.exe

Loads dropped DLL 2 IoCs

pid	Process
400	rundll32.exe
1428	qzrSJUcPyR.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000231db-11.dat	upx
behavioral2/files/0x00070000000231e8-14.dat	upx
behavioral2/memory/1088-17-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-22-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-24-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-39-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-40-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-41-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-42-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-43-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-44-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-45-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-47-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-48-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1088-50-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	qzrSJUcPyR.exe
File opened for modification	C:\autorun.inf	qzrSJUcPyR.exe
File created	F:\autorun.inf	qzrSJUcPyR.exe
File opened for modification	F:\autorun.inf	qzrSJUcPyR.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\func.dll	qzrSJUcPyR.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\phpi.dll	qzrSJUcPyR.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1052	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3324	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2668	taskkill.exe
336	taskkill.exe
3420	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe
400	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	400	rundll32.exe
Token: SeDebugPrivilege	400	rundll32.exe
Token: SeDebugPrivilege	400	rundll32.exe
Token: SeDebugPrivilege	400	rundll32.exe
Token: SeDebugPrivilege	400	rundll32.exe
Token: SeDebugPrivilege	400	rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1088	iMpk6n8OpS.exe
1088	iMpk6n8OpS.exe
1088	iMpk6n8OpS.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1088	iMpk6n8OpS.exe
1088	iMpk6n8OpS.exe
1088	iMpk6n8OpS.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 5088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	86
PID 5056 wrote to memory of 5088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	86
PID 5056 wrote to memory of 5088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	86
PID 5056 wrote to memory of 1428	5056	ac0b3356655f8495fdc17d97802aaf31.exe	88
PID 5056 wrote to memory of 1428	5056	ac0b3356655f8495fdc17d97802aaf31.exe	88
PID 5056 wrote to memory of 1428	5056	ac0b3356655f8495fdc17d97802aaf31.exe	88
PID 5056 wrote to memory of 1324	5056	ac0b3356655f8495fdc17d97802aaf31.exe	89
PID 5056 wrote to memory of 1324	5056	ac0b3356655f8495fdc17d97802aaf31.exe	89
PID 5056 wrote to memory of 1324	5056	ac0b3356655f8495fdc17d97802aaf31.exe	89
PID 1428 wrote to memory of 4608	1428	qzrSJUcPyR.exe	96
PID 1428 wrote to memory of 4608	1428	qzrSJUcPyR.exe	96
PID 1428 wrote to memory of 4608	1428	qzrSJUcPyR.exe	96
PID 1428 wrote to memory of 440	1428	qzrSJUcPyR.exe	95
PID 1428 wrote to memory of 440	1428	qzrSJUcPyR.exe	95
PID 1428 wrote to memory of 440	1428	qzrSJUcPyR.exe	95
PID 1428 wrote to memory of 4632	1428	qzrSJUcPyR.exe	94
PID 1428 wrote to memory of 4632	1428	qzrSJUcPyR.exe	94
PID 1428 wrote to memory of 4632	1428	qzrSJUcPyR.exe	94
PID 1428 wrote to memory of 2632	1428	qzrSJUcPyR.exe	93
PID 1428 wrote to memory of 2632	1428	qzrSJUcPyR.exe	93
PID 1428 wrote to memory of 2632	1428	qzrSJUcPyR.exe	93
PID 1428 wrote to memory of 4056	1428	qzrSJUcPyR.exe	92
PID 1428 wrote to memory of 4056	1428	qzrSJUcPyR.exe	92
PID 1428 wrote to memory of 4056	1428	qzrSJUcPyR.exe	92
PID 1428 wrote to memory of 828	1428	qzrSJUcPyR.exe	91
PID 1428 wrote to memory of 828	1428	qzrSJUcPyR.exe	91
PID 1428 wrote to memory of 828	1428	qzrSJUcPyR.exe	91
PID 5056 wrote to memory of 1088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	104
PID 5056 wrote to memory of 1088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	104
PID 5056 wrote to memory of 1088	5056	ac0b3356655f8495fdc17d97802aaf31.exe	104
PID 4608 wrote to memory of 3676	4608	cmd.exe	105
PID 4608 wrote to memory of 3676	4608	cmd.exe	105
PID 4608 wrote to memory of 3676	4608	cmd.exe	105
PID 828 wrote to memory of 2668	828	cmd.exe	106
PID 828 wrote to memory of 2668	828	cmd.exe	106
PID 828 wrote to memory of 2668	828	cmd.exe	106
PID 440 wrote to memory of 3788	440	cmd.exe	107
PID 440 wrote to memory of 3788	440	cmd.exe	107
PID 440 wrote to memory of 3788	440	cmd.exe	107
PID 4632 wrote to memory of 1052	4632	cmd.exe	109
PID 4632 wrote to memory of 1052	4632	cmd.exe	109
PID 4632 wrote to memory of 1052	4632	cmd.exe	109
PID 2632 wrote to memory of 336	2632	cmd.exe	108
PID 2632 wrote to memory of 336	2632	cmd.exe	108
PID 2632 wrote to memory of 336	2632	cmd.exe	108
PID 4056 wrote to memory of 3420	4056	cmd.exe	110
PID 4056 wrote to memory of 3420	4056	cmd.exe	110
PID 4056 wrote to memory of 3420	4056	cmd.exe	110
PID 1428 wrote to memory of 400	1428	qzrSJUcPyR.exe	116
PID 1428 wrote to memory of 400	1428	qzrSJUcPyR.exe	116
PID 1428 wrote to memory of 400	1428	qzrSJUcPyR.exe	116
PID 1428 wrote to memory of 3324	1428	qzrSJUcPyR.exe	117
PID 1428 wrote to memory of 3324	1428	qzrSJUcPyR.exe	117
PID 1428 wrote to memory of 3324	1428	qzrSJUcPyR.exe	117

C:\Users\Admin\AppData\Local\Temp\ac0b3356655f8495fdc17d97802aaf31.exe
"C:\Users\Admin\AppData\Local\Temp\ac0b3356655f8495fdc17d97802aaf31.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\AB0MQoTJWZ.exe" /b + "C:\Users\Admin\AppData\Local\Temp\FcEzDR3WvU.exe" /b "C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe"
  2⤵
  PID:5088
- C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe
  "C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ScanFrm.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ScanFrm.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im egui.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im egui.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c taskkill /im ekrn.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im ekrn.exe /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc config ekrn start= disabled
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\sc.exe
      sc config ekrn start= disabled
      4⤵
      Launches sc.exe
      PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows /e /p everyone:f
      4⤵
      PID:3676
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe func.dll, droqp
    3⤵
    - Drops file in Drivers directory
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3324
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy "C:\Users\Admin\AppData\Local\Temp\dJ1Rv7e2yB.exe" /b + "C:\Users\Admin\AppData\Local\Temp\IIeBkAvnur.exe" /b "C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe"
  2⤵
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe
  "C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AB0MQoTJWZ.exe

Filesize
7KB

MD5
bf175abf9b3848f9b8aebac5279e1e6f

SHA1
43a921fec131cbff96fc2cb6fca220b6ff127c77

SHA256
c28e1c1787dda9162ed132ed6d8f457b428a89dd99e6c8e983a8f80c82d55c92

SHA512
4f93e87eb70b501e45d63a9e8fdcafcc68780beb3870d0d1f5cb43d50cf108dfe474140ea833c45ea29d652f3fc13141bb31529358e39a3835c19e4c9e0f5857

Download Submit
C:\Users\Admin\AppData\Local\Temp\FcEzDR3WvU.exe

Filesize
23KB

MD5
2e3db118057de35b97dfc986c01084ba

SHA1
807e329cd0035a51bb9065871af28e844193bcf2

SHA256
176a68056f3b16e54209a98d2374ff6a39942784f9b750db79e2f28a39cd639a

SHA512
82fbae2acf131ca7b11dc8f3a740a2dd93bad0144d8cf06fa7b2f65b572cab94177bc1e399238afb9138218a449672232c57e3755cdb0b6a3db905182bbee5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIeBkAvnur.exe

Filesize
111KB

MD5
ab7963a577bc794adbe10e69168b9107

SHA1
81c52982c67209a5c152744e219abe9b590405f6

SHA256
0de4dac796e1f1d8dc82ecf9a51ba7b4b1efa505f41a390865a47581b5fbac45

SHA512
08ab72f860e512dea72064cb91b0c7a69a49bbfa038b3456146de72e63ae11ae803e1471675b2d04e7b90a70400e55e4aa1f9f7585e4f324bb9f0ff90470a9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\dJ1Rv7e2yB.exe

Filesize
37KB

MD5
252c962456a39e6f5530a58e275b420f

SHA1
476432e95fefea0086c909de2f65a351cd08cdbd

SHA256
0dadb72529f88caf5ae5b830e9fd8ca8c402a83c5de73230133030fdd69eff9f

SHA512
c81ffc2b40a05c079d25d574de608310a804761efc41b37872cf2585115da32370a814dd849370104e6d9356a14c0e47a67a97ef53eb21e638661c7b9f2022b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMpk6n8OpS.exe

Filesize
148KB

MD5
0479311230d8c1ad3eb178017f92ad46

SHA1
f85b62f772581fa1dc37a6fc7e4573f85ab77d5b

SHA256
ca4056e219b5ee927564e0313fa419a2b18c88f44f783801e7cc9788aaec76e5

SHA512
b286e70529f341de9ae30fa2b8dcd64117a65df28ade1072d78702c0d18faed1bc74cee09ab787ac84d791390102652b42c5192955070a5d5be28fcf61c1e1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzrSJUcPyR.exe

Filesize
31KB

MD5
fa960759a464975598ba0f93485eefae

SHA1
65be380acd4fa50ecf3a7d0ed23c23352a2965a1

SHA256
84305a121d3b0416eca553783a85d2f87522a7505ac33cac3c31aa4145b21073

SHA512
faadb09f84e0fd6086c3b7729fe25902f4491668a726f941f3d2bb28c6f84b92f6839b95fcca271ba01df6974c30f9eead9c5242c70cb1c110209b55218be3e8

Download Submit
C:\Windows\SysWOW64\func.dll

Filesize
37KB

MD5
c85207363e93eb7c08097f407d4d78b1

SHA1
347b295069f693b2da817fd34560de985171e6a6

SHA256
a52c67b010b407f94d8a3455dbe5042587e4451bf69260684886f79097ff7da8

SHA512
b233e59706cbe4b80ff48bec51b4b2e60daff90a98ddab729dc1c090f1187b6dd8a591f674f5ef43c994b93f5bb6812fc9275f1d4d0c77ec9fee240e93d81b3d

Download Submit
C:\Windows\phpi.dll

Filesize
44KB

MD5
45282d73bffc7b865a6f09ae0caafc3d

SHA1
e5a6b1d7136aa67415394ed1b6a8c7936515aac9

SHA256
056217e93c8a004925d79102175e7ffbf3ac7d21d9707db9458aeda846d7abe1

SHA512
f5bd32254da4386279bbfc1e816af00143f3241ebf4f54c4ecc3d5f79ef5e26411e99532d6840b75fad65de40744edbdf3882bab5608795e5ddc75e1f653ffa9

Download Submit
memory/1088-42-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-41-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-50-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-22-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-48-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-24-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-47-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-39-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-40-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-17-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-45-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-43-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1088-44-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1428-9-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-10-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1428-23-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5056-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download