e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe
Size

1.2MB
MD5

f2ee7bf59b3d4b3b97de028e9019fdb6
SHA1

123d905cbd55fa087ec83e0d29c5d222739c7cff
SHA256

e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f
SHA512

1c223deea000758738ccea760c0689cd30a01908b7138715ffb5fbf6994cbb93149da79610c90ab4fc68893be47961d4cfbdf46d89673f192fd6ec48bbe91438
SSDEEP

24576:jTbBv5rUDWxz4N1/TmgyBKWIwjmL6THBvWFGa6mPcyGJzQmrD4Fr:9BtgTmEpwRdnoGBQ2Dc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2420	qtkk.msc
1628	RegSvcs.exe
808	RegSvcs.exe

Loads dropped DLL 3 IoCs

pid	Process
2680	cmd.exe
2420	qtkk.msc
2420	qtkk.msc

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L89BO89GX85MG81WC77SL70ZQ68IN85PZ90MZ88BR74LE79YF72EX88AY86AS86DB84MU82AH84TH68MY70VP86FV75OZ83PT69XO79TY65SF82DU83YH83AI88UP69EQ67DX76PV85FL77ZF74VE87YZ74ZX80IM84GS86PA75VF77UW84B = "C:\\Users\\Admin\\AppData\\Roaming\\cmfi\\QTKKMS~1.EXE C:\\Users\\Admin\\AppData\\Roaming\\cmfi\\fqgpn.msc"	qtkk.msc

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2420 set thread context of 1628	2420	qtkk.msc	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2648	ipconfig.exe
1304	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2420	qtkk.msc
2420	qtkk.msc
2420	qtkk.msc
2420	qtkk.msc
2420	qtkk.msc
2420	qtkk.msc

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2568	2968	e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe	28
PID 2968 wrote to memory of 2568	2968	e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe	28
PID 2968 wrote to memory of 2568	2968	e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe	28
PID 2968 wrote to memory of 2568	2968	e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe	28
PID 2568 wrote to memory of 2444	2568	WScript.exe	29
PID 2568 wrote to memory of 2444	2568	WScript.exe	29
PID 2568 wrote to memory of 2444	2568	WScript.exe	29
PID 2568 wrote to memory of 2444	2568	WScript.exe	29
PID 2568 wrote to memory of 2680	2568	WScript.exe	31
PID 2568 wrote to memory of 2680	2568	WScript.exe	31
PID 2568 wrote to memory of 2680	2568	WScript.exe	31
PID 2568 wrote to memory of 2680	2568	WScript.exe	31
PID 2444 wrote to memory of 2648	2444	cmd.exe	33
PID 2444 wrote to memory of 2648	2444	cmd.exe	33
PID 2444 wrote to memory of 2648	2444	cmd.exe	33
PID 2444 wrote to memory of 2648	2444	cmd.exe	33
PID 2680 wrote to memory of 2420	2680	cmd.exe	34
PID 2680 wrote to memory of 2420	2680	cmd.exe	34
PID 2680 wrote to memory of 2420	2680	cmd.exe	34
PID 2680 wrote to memory of 2420	2680	cmd.exe	34
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 808	2420	qtkk.msc	35
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2420 wrote to memory of 1628	2420	qtkk.msc	36
PID 2568 wrote to memory of 1552	2568	WScript.exe	37
PID 2568 wrote to memory of 1552	2568	WScript.exe	37
PID 2568 wrote to memory of 1552	2568	WScript.exe	37
PID 2568 wrote to memory of 1552	2568	WScript.exe	37
PID 1552 wrote to memory of 1304	1552	cmd.exe	39
PID 1552 wrote to memory of 1304	1552	cmd.exe	39
PID 1552 wrote to memory of 1304	1552	cmd.exe	39
PID 1552 wrote to memory of 1304	1552	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe
"C:\Users\Admin\AppData\Local\Temp\e02090cd2eb0b654d0013fe4a8db53ee67fe570d25f5d3b520edc382bc84fb4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiox.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c qtkk.msc fqgpn.msc
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\qtkk.msc
      qtkk.msc fqgpn.msc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:808
    - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\akvbcbeiaw.mp2

Filesize
554B

MD5
86c042d5b9888b95ed539904c124c026

SHA1
2eee0fda1944ab3cd233d7dd8da31d50a58148b3

SHA256
94ae1530f7a9f7621fdc0603dc88739338ccb3844f5c5fb93117b250991035b9

SHA512
2e81f65da77d23a39b46901e74b3a9bd1d02a064ca1f5c8c60391088d5bcb681abc1b823040f5de697f4d40fc6e4a01f3c96e6b0c1a4d54e1073975738932b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bicpgapeng.docx

Filesize
652B

MD5
155e9e6c9c9cfca2df8d469349c7e43f

SHA1
c9f117630ffe172b051a8fb4dd9ad9af295ad34e

SHA256
1ed9fbf531664f07dc73d664d77dcc34a61e21eb032d4385c83bd4d1a411a227

SHA512
075d2ab2ec549ff8935e9401e6501aa611dacdc1b4d6baa3844c0f7945108feeb47d00c9f25075b81c9648771c4a146e772c03ea462d1cc8e27e6ae2fb348cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cgacqsirt.icm

Filesize
609B

MD5
a4e45c9d53798abecdbf78924f846fcc

SHA1
747b2709eec81499a427a8bed5607d6ac449e606

SHA256
13ab239b9274f3da0b80121a4298696c1ed26dd3bdf784043d781ed43e0fede2

SHA512
93ef0b425f8f90e67fdf3e93510f5f27cea8db20e54eabb0f027a20aa59c1442568ae99c2e846405c0988a564955dbf650c632ea3a54dc312e388396bd318e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dcjqkn.bin

Filesize
551B

MD5
004c88acbb1c7b4f6cae4396bf690047

SHA1
c69badee5d78ebd7ce3b46f6530c7a3be49cf0a4

SHA256
89dd0ca941f5f7589df36a25faa7a8086c8cf08a6fb68bf139bc5341328b7071

SHA512
1f96a46e3abbb149b571ac147e7d04cf0649566a96f2a4f1f48fac18ac92c6ae7eb89e8d7d2937cf901b939959ea9ba00507877fcb80643f4d2b9c43408dc64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\dswitmeka.msc

Filesize
519B

MD5
4732adfcfeb08efa3796f0e0a6beb651

SHA1
003e3e7deccda3a1cbcd3e826d46a0a879fa74d2

SHA256
e32013e2c075779d8efbfff3de13d529f1e4de3439c77933d7514c8a6077a3d5

SHA512
08e05297468844702d008932cb1ac096d32aa9c2a310629dab91b725759a802bed57789ed4d4d9756343c35a05296d925aea1fff3fa2f1638fa903be510b6e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fqgpn.msc

Filesize
3.5MB

MD5
7224af09c24ddefb26f388489b9dfb57

SHA1
352c3771d2dc6ef69029d74aed54e446cff2f90e

SHA256
687603bef4dc93a3f845226c65b4446a63bd2e2db8955cfe792cd88d31df6413

SHA512
5d3fc3e4738961fd0e8fe18b9a7c9e3ed71d16260cb44a84213eded458baf64083534c7cbcc0ba5d59d568e9fdbd8cbb01a3f58b0412d49efd1f16fa34174eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdbwchejw.erx

Filesize
527KB

MD5
1cd4ad19e2bfebebb3ea9e35ec2f84d1

SHA1
774212321e204c04f2de5d8e7e6686e8bc2efeea

SHA256
2b8576857650065a8365eab3772fe9000710584507660b9eb6d00e1162f9ec66

SHA512
8be2ac9df393664c0e1e0d9ec22b40e07db3c78ac6230a9afe3ae9c63b90a5e0c60a26c919232899be538155486e9dea1b9a9073945c43c30aa94bb0195cb53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hirpdb.mp2

Filesize
510B

MD5
667648a92aa7efb24d20ae28913c7180

SHA1
52e0f9b641b6a156fde55afc821e9cb60ba97feb

SHA256
ce25f276017281d828da734a213402eb7fba49cf8e88ce6e3c608d7bd972410a

SHA512
8b2c14b12803126e4be056315624bb298d4fcfd62182243713ab586e64f19ec4a6b46b1548bba24133c6041d922a573757e02e68bccf8350fe9d57a7ef80b3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jhpnd.jpg

Filesize
531B

MD5
00292b28f6b528601fc3abbc5c9d1b68

SHA1
26fbf9ca8eba6ac0fff1fea60e2ab47d780c5067

SHA256
66e57effac847b52ce48c1992ed03e4a01283e6ce51fa608ce584755a048e2c9

SHA512
7fb2b3e08929a3cb5aaeb7ba8b90fdd05c0266c7e85456d6c6dededaacadbe1fe8493af576cb7855c42f28a00fab2c6c2ec2377509a32bcd9b392c81b6215801

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jjrdkfnsng.dll

Filesize
676B

MD5
774d846b359f0ab76231a99b90faf0f4

SHA1
a96d0e11c4c3b938c6285d8cd2db543706bb0539

SHA256
c2f0cdd6b87f4a122b662233300170e4336e2f2800cc6adb0db24099d74a8901

SHA512
abacef367cb39f56beb809573b8ca928bf4c9d2e711d7a42a0aaf80d75725320fb3809c10870ff5b993cd2b40730f15089dcbdba6121eb389eeda0d768c93ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keoilvkath.pdf

Filesize
507B

MD5
93788607c5622f4c425b9b480475a663

SHA1
1ae29c007bcc85c8744e1236f4d532006943e6e5

SHA256
7b0ab8e990afc2a1b0378102d584ad82973b1bcc301aaac218abb5b5762dd9a9

SHA512
fbbdd9bc3c74d1bef0c40c98f5b0eadd2e8ff98bd6f84a35bf20e7ea9cb5ba69b48b7f360b9f27f2d7ea9a2f6dc4a80769cdc5a49f7d71d5898f2d169d243f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kptrjptj.icm

Filesize
602B

MD5
19bc8ae4258ccf4fd6b17e0f91650508

SHA1
cf7ffbcc198ec0421d46f4690ba6ca06b3e1e8f1

SHA256
896678afa147540658e5fbd1b344d122f5897e5ff23a9df18317658f1772110d

SHA512
73e06661ed14932083d93f3be85a78a3ca862d35aff0a82283344bd18244b6f26f63bed1b8ec0632ab95d03411c1b717ee7940291c15395cf452c7a744152485

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kvqjbnjrr.xl

Filesize
550B

MD5
189288c470a0646f22ff0b387d95a46c

SHA1
92b139c73eea73c907ee2efe1f223cdc87cdb93e

SHA256
9c6172bd136c76e6ba72e219ba0f18147435fe854e9d5831ae3118c5c0015851

SHA512
147dc6e7808b291b9536b40086bb1ebb1d470d842ebd5908dfd1d4fd547325dbb81447feeb53bd4d59cdd01a6e110c287f413dfb721ba7fb4530cb68bf5fd4e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lextvxg.mp2

Filesize
593B

MD5
dbfc374f445e6281244b407fcf12e81c

SHA1
b77402e1e01145f919124450b3f64fbe161b524f

SHA256
cb7894828e7e8bdb62f1486b6e92bea3547f7ba01160908d478689ebd32ebda2

SHA512
08afec0d49e213e7c1afd50709e7c7b0f1ce0c67d13524ad3c8bf1b35b8866ea400ee762c0540b629504b99e737763c0fb95aa890486b3e61fe61aedf09510fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ncranbcxgh.pdf

Filesize
536B

MD5
f6198d81d2d907cfb14dde22b0b3f226

SHA1
bf609be3e39da42fd294a24ef5fb6cb39933e030

SHA256
0ce88ba8afbf060d793c95315557eb3027cade6dd4ef368511a71f2136aa2ff5

SHA512
8b031fbdd9692726bbbfb81c8d1e9ea21b6c106ea917f21806fa7232a3cd39ca76915e884e45ceb58d14c0a227c2b82bbe572570da0a501de3b4eaaf233886ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qtkk.msc

Filesize
925KB

MD5
eeaa0f5d82e56659c80fa84d588bf870

SHA1
a1aea1de9c42e1ef8c186ef6246dd318040e66de

SHA256
3fce07bd7e220e97a1b141da155444f95aba7b5e4325f6a5edb262c025c1e5a9

SHA512
20b4d8d117419a511cde61ec37c488fcf86d8d6e9174da2496cd71843e8c7f0dd5b7707e59e8404018f0c7074fef610a48f68e274fa250e05ae89e474ceb8247

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qvie.exe

Filesize
540B

MD5
41f179c9089dda4b795f0927b469fc55

SHA1
52f73561d15ac460f916194d481c56baf77ba7e7

SHA256
128659866a56fea6ac28efab3060ca3b57ebd9040d17efb77d1ffead15768e9c

SHA512
8531c176b0ddb9594387d4bd3309a098c283304a7620a6f4611e964e784c0a88a1366c3fc20046e58c7c583e68b259f1a5fdc59ae547b0e64b04905af2746616

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svrker.bmp

Filesize
32KB

MD5
4e5dc6cf1d8fef6577a7d919102e0d04

SHA1
d3dc1afcedba20ecd45f9c061a63bd721ee6fb66

SHA256
849dca0780c70e59a8ee3fa65e5fd82fe7c4af17e26fa17d3726cfefea0913ef

SHA512
3c861ee898cdb0d75457ab759a56d36b531a1c9dec517ccd4cb29b6e48cd030d97de23461b39b8c704a90490ea51f277e6b19ff30d12c797b7d909b4073e1430

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svrker.bmp

Filesize
32KB

MD5
899da02f2f451eb750e19c7573777da8

SHA1
841bca52252bdc878384111540a7720873852817

SHA256
99b7c8b93c190cea265eba8cd89e8fbd2bf1978a594b2be4e01541448c7e0dfe

SHA512
9f977a73efeaace72e6d803e65ae7167f53ca2c00aed782c107d1e6db61853afa24cdaa7300b2671c5e0b5a1051d7513eff9f0b48c51032100e25b5cfd3a4d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\txnlvhif.xl

Filesize
633B

MD5
9fc96e13d5734ad8a61e48866e066298

SHA1
170173a972c2c2c5208f50a5c1e1bd936c1e0a66

SHA256
b0de14752bd5816010c2d226f84ab348e8098fcbd3078420dc91b5687b764631

SHA512
a9c90fc3f9c5c5bcd916d2294559e62487e366e1cd491c183d85c94f3ec1cab101604796d58571bd76692b2c02ad4c45729e639217907a6ec4c4fc91a25ac78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vasgdwjjb.mp2

Filesize
616B

MD5
09ecfa1b22bcd9b1c5b4d259ba5564d9

SHA1
788cc65540b8ef6733fe68a7baa64e8d8f968994

SHA256
b6b4ac62c8ba6349cfc8a92998c91b8aca6058fe82b53cc110e854123cd422dd

SHA512
30a034d639393861403b2fe451ae0f355a231a1ff5dfcfbee3b009acba5e3a3c133159b1c10ecd5e59e69ae8c65ab833be1312c3af70201fdc939d3a1d6310a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiox.vbe

Filesize
77KB

MD5
950060ab1ef594511bd273fab2c569d5

SHA1
1c7f883da063e4f8220389ef09a08ef97517cd28

SHA256
c11621cf6ecc82b31277acfbb7f0f2634e09539003a889dbc3ec086dc7ee83bc

SHA512
55eb8f174bcedf9824026c82776d0801c8bc4a24d0f49bf9e67f70a3d8eb9281d987b51ecdbd8058a72ccce255fa084cd27459591e3ce3605d46cf4495759b6b

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1628-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download