ee48174864ae0ef8c1e2da6b91b17c2f1df32195f69173adcc3013bf97c76ad5

Analysis

max time kernel
1793s
max time network
1565s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
Size

1.7MB
MD5

d4b12487470460653459a54769e974e2
SHA1

f879a01a2a5d337b97d14c31294e0384bc0ff649
SHA256

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8
SHA512

cdf8f5810a3f8c379030bd4a1686afd9bd6adefefce642ff088c7f0330ee6434120fa1ee90070341c2b1b6990b56005134fd2a71bf0fc29559547bc08c38dbc5
SSDEEP

49152:nyZOP+5jUgyNvtchcL6yUw4gZ2oe7yUFqm:nyZO0CFHL7Y

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\IQManager\\iqmanager.exe"	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe

Executes dropped EXE 3 IoCs

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

pid process

2660 iqmanager.exe
2580 iqmanager.exe
436 iqmanager.exe

Loads dropped DLL 4 IoCs

Processes:

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exeiqmanager.exe

pid	process
2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
2660	iqmanager.exe
2660	iqmanager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqmanager.exe = "C:\\Users\\Admin\\AppData\\Roaming\\IQManager\\iqmanager.exe silent"	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 27 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

description	ioc	process
File opened (read-only)	\??\A:	iqmanager.exe
File opened (read-only)	\??\U:	iqmanager.exe
File opened (read-only)	\??\M:	iqmanager.exe
File opened (read-only)	\??\O:	iqmanager.exe
File opened (read-only)	\??\P:	iqmanager.exe
File opened (read-only)	\??\X:	iqmanager.exe
File opened (read-only)	\??\I:	iqmanager.exe
File opened (read-only)	\??\K:	iqmanager.exe
File opened (read-only)	\??\A:	iqmanager.exe
File opened (read-only)	\??\G:	iqmanager.exe
File opened (read-only)	\??\H:	iqmanager.exe
File opened (read-only)	\??\S:	iqmanager.exe
File opened (read-only)	\??\B:	iqmanager.exe
File opened (read-only)	\??\J:	iqmanager.exe
File opened (read-only)	\??\L:	iqmanager.exe
File opened (read-only)	\??\T:	iqmanager.exe
File opened (read-only)	\??\Z:	iqmanager.exe
File opened (read-only)	\??\B:	iqmanager.exe
File opened (read-only)	\??\N:	iqmanager.exe
File opened (read-only)	\??\Q:	iqmanager.exe
File opened (read-only)	\??\R:	iqmanager.exe
File opened (read-only)	\??\W:	iqmanager.exe
File opened (read-only)	\??\Y:	iqmanager.exe
File opened (read-only)	\??\V:	iqmanager.exe
File opened (read-only)	\??\B:	iqmanager.exe
File opened (read-only)	\??\E:	iqmanager.exe
File opened (read-only)	\??\A:	iqmanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

pid process

2660 iqmanager.exe
2580 iqmanager.exe
436 iqmanager.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

pid	process
2660	iqmanager.exe
2660	iqmanager.exe
2580	iqmanager.exe
2580	iqmanager.exe
436	iqmanager.exe
436	iqmanager.exe
2660	iqmanager.exe
2660	iqmanager.exe
2660	iqmanager.exe
2580	iqmanager.exe
436	iqmanager.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

pid	process
2660	iqmanager.exe
2660	iqmanager.exe
2580	iqmanager.exe
2580	iqmanager.exe
436	iqmanager.exe
436	iqmanager.exe
2660	iqmanager.exe
2660	iqmanager.exe
2660	iqmanager.exe
2580	iqmanager.exe
436	iqmanager.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iqmanager.exeiqmanager.exeiqmanager.exe

pid process

2660 iqmanager.exe
2660 iqmanager.exe
2580 iqmanager.exe
2580 iqmanager.exe
436 iqmanager.exe
436 iqmanager.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe

description	pid	process	target process
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe
PID 2192 wrote to memory of 2660	2192	dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe	iqmanager.exe

C:\Users\Admin\AppData\Local\Temp\dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe
"C:\Users\Admin\AppData\Local\Temp\dd0d00fec6564d52ad291e8f8a99e981a31ba5fbb623076e8e2864f4591e9bc8.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
"C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
"C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\IQManager\languages\English.lng
Filesize
5KB

MD5
07085de5f288a4af975301d446b5e33b

SHA1
1bab1af24546e953ef72b3f91ce1703aa3053da3

SHA256
5026f9af6ce420f4c30853758d9b5e1b9f0042ded6026a925ee180aea661e872

SHA512
1f8e16f22cd88a8acd47cbfd5cec4e8b496194b350b106b97b4147d42ba959894e920a5535ec022ab57b7977c74b6ec9864e0344bfea5bf2e0df95c60fd29e54

Download Submit
C:\Users\Admin\AppData\Roaming\IQManager\settings.ini
Filesize
56B

MD5
30d888d830f8e92e1019ad1e06fb5e49

SHA1
300aeb9737a275413859ca571e8c35d06e686ec2

SHA256
36e3d68811914bf4053705620069a2d8e4d542aaf71443f7f3e98b14759475e6

SHA512
fc40dd13ba030cb101d7f5de96a59b40f9cf386c017dfeb54cef868d25c5730f16c8eb210b6856dedc95bd6a101478471193cd241941d88ded73d122e1fdc301

Download Submit
C:\Users\Admin\AppData\Roaming\IQManager\settings.ini
Filesize
108B

MD5
2f40252e96a1ea2cffc9587a38442203

SHA1
c64f86f5ff26c6c950ed18f195dcc527116bc3e6

SHA256
0359b5915661b852c226014ec80888185e5e79355344eae78d17beeb3c864f10

SHA512
f6c190ec3ebb98625f7b11af1b273df81db5b359699a28f897dd56a0893e23fbbad1a3ae3e6752b0447e90d94e1c8aef3c32a277ca594a89c381f5e0da1125b4

Download Submit
\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
Filesize
1.5MB

MD5
bca3226cc1cfea416c0bcf488082e5fd

SHA1
2c1fd0189a9abe856dc8277673500390e1dc2b17

SHA256
1301037ea0315e6c4d001a7e4630ed7484e9b3b5d707f65f231e62e4fd117897

SHA512
8052d1a0e33c5d3e6f4fbed5edb317c3d888da5a1f3dc956e87c53967f097b22665c87a08e71c5bef3360536e84f01d0bf3542453160143dbc4acab91d54b124

Download Submit
memory/436-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/436-67-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/436-62-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/436-58-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2580-39-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2580-31-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2580-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2660-41-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2660-43-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2660-45-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2660-47-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2660-30-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download