Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 08:09

Errors

Reason
Machine shutdown

General

  • Target

    QI.exe

  • Size

    5.9MB

  • MD5

    352c1cd1b44a666a3535c9b1f2c578d0

  • SHA1

    e335a89a43596ce4bc1e25a1a63a8ec5a480f9ab

  • SHA256

    70d313b32680b46843d8bb85d3c38f60a0907aee88cc5ac7f446e7809375e447

  • SHA512

    d82f18300789a4110d7f3f509e5171fea5ef86760125c877a5577f0747b29024bb4f7af7ebbbb066c5d39501c89f115ba83808183aa1609b324f1441bca85e94

  • SSDEEP

    98304:JFJ895z6ubxEWOUkEE8vT5epqdse9dHCkvRvCgJWGu78JDaKX2O6RJXTg:J72N6u6WOh8vlfdzvRvrJ1uYBaGmXX

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\QI.exe
    "C:\Users\Admin\AppData\Local\Temp\QI.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\0079952\QI.EXE'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\0079952\QI.EXE" /RL HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\0079952\QI.EXE
      "C:\0079952\QI.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Users\Admin\AppData\Local\Temp\crazywarningicons.exe
        "C:\Users\Admin\AppData\Local\Temp\crazywarningicons.exe"
        3⤵
        • Executes dropped EXE
        PID:2472
      • C:\Users\Admin\AppData\Local\Temp\erroricons.exe
        "C:\Users\Admin\AppData\Local\Temp\erroricons.exe"
        3⤵
        • Executes dropped EXE
        PID:2620
      • C:\Users\Admin\AppData\Local\Temp\pizdec.exe
        "C:\Users\Admin\AppData\Local\Temp\pizdec.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Users\Admin\AppData\Local\Temp\sys3.exe
          C:\Users\Admin\AppData\Local\Temp\\sys3.exe
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
      • C:\Users\Admin\AppData\Local\Temp\start.exe
        "C:\Users\Admin\AppData\Local\Temp\start.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2414.tmp\2425.tmp\2426.bat C:\Users\Admin\AppData\Local\Temp\start.exe"
          4⤵
            PID:1976
        • C:\Users\Admin\AppData\Local\Temp\1111.exe
          "C:\Users\Admin\AppData\Local\Temp\1111.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2008
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\project.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\project.exe"
            4⤵
            • Executes dropped EXE
            PID:2212
        • C:\Users\Admin\AppData\Local\Temp\crazyinvers.exe
          "C:\Users\Admin\AppData\Local\Temp\crazyinvers.exe"
          3⤵
          • Executes dropped EXE
          PID:800
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2820
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2292

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\0079952\QI.EXE

                Filesize

                5.9MB

                MD5

                6e5e7f2f5ddb3ae96e0b554af23f7d8a

                SHA1

                1db98b50cd29f1d9b56aad8e1440ba239829e65c

                SHA256

                cba6b4b8a352174cedc24d216250d3e389ff5c06aa0b063869084bd2a85784d1

                SHA512

                ac48c21e99aa0e1279d868b98a10d36bc0d3d2150cf88e9e666dcca2d5ccc045a886546f7d0117af5ff34d156cad0ecbe74a97e767e5e6447ef1c4171c7bdab9

              • C:\Users\Admin\AppData\Local\Temp\1111.exe

                Filesize

                4.6MB

                MD5

                d76f5511907522ebe06e829de7b5ed52

                SHA1

                090abee096762c74879cc64197201011d09a6928

                SHA256

                248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776

                SHA512

                8e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae

              • C:\Users\Admin\AppData\Local\Temp\[email protected]

                Filesize

                68KB

                MD5

                bc1e7d033a999c4fd006109c24599f4d

                SHA1

                b927f0fc4a4232a023312198b33272e1a6d79cec

                SHA256

                13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

                SHA512

                f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

              • C:\Users\Admin\AppData\Local\Temp\crazyinvers.exe

                Filesize

                2.3MB

                MD5

                a44458813e819777013eb3e644d74362

                SHA1

                2dd0616ca78e22464cf0cf68ef7915358a16f9ee

                SHA256

                47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

                SHA512

                1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

              • C:\Users\Admin\AppData\Local\Temp\crazywarningicons.exe

                Filesize

                1.2MB

                MD5

                e21bb4749a8b1b6fc26a7bcf57781836

                SHA1

                89cb0bd80d691ca650ad01551be3acefa2256ebd

                SHA256

                0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

                SHA512

                b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

              • C:\Users\Admin\AppData\Local\Temp\erroricons.exe

                Filesize

                316KB

                MD5

                7f31508d95be3fe50e4e9aa646e86a12

                SHA1

                c61b439d6e17d630728f48c09b36af2647940748

                SHA256

                994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

                SHA512

                2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

              • C:\Users\Admin\AppData\Local\Temp\pizdec.exe

                Filesize

                10KB

                MD5

                f35633ae6d4ed40fce9b5b62dd575d79

                SHA1

                df952be90c5447bac8db8a3bb2c31d6820a9e2a0

                SHA256

                97b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c

                SHA512

                4b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952

              • C:\Users\Admin\AppData\Local\Temp\start.exe

                Filesize

                47KB

                MD5

                7a6212aaed7b0851de879a270928417d

                SHA1

                9c896a347ae1e568e045b1061938f0a56728d1c5

                SHA256

                df3ee675829d7eeb051583b399909a0ac9d0b3e868c6850ecaa5d11a9e563c20

                SHA512

                6c21ea1cff7dfab081275808a4d3a3e2b081c2bc6a3d58b3b3ddbd714ee5e7091f8edaeb267bc8a887c77ac6de68cdc72dfd5bf1ae16cbe687af450d290adaa9

              • C:\Users\Admin\AppData\Local\Temp\systm.txt

                Filesize

                44B

                MD5

                1dd43ba56e91654ef01caf1352776b8d

                SHA1

                507c048cf3cff79355e93d6d84e2cd57d00e1687

                SHA256

                230539442f6c634c45e17b17baeb9a20e32460f13f430abc484c334025926de5

                SHA512

                14939d00a494c13dd895cd3a3428e793ca0fe710ad97b97b5867a3ad8aa46119bf07415a492fa6e2b067aae6b74c5dd0ea00c0b0b5b302a1d1b893ae0ba20886

              • \Users\Admin\AppData\Local\Temp\RarSFX0\project.exe

                Filesize

                3.4MB

                MD5

                fdad1b564558765657cb835752b47e7c

                SHA1

                3c94e9acc969b66aab45eb8a60a77b27691950b2

                SHA256

                9b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5

                SHA512

                d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e

              • memory/800-73-0x0000000000400000-0x0000000000582000-memory.dmp

                Filesize

                1.5MB

              • memory/1412-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                Filesize

                32KB

              • memory/1412-7-0x000000001B610000-0x000000001B8F2000-memory.dmp

                Filesize

                2.9MB

              • memory/1412-6-0x0000000002DB0000-0x0000000002E30000-memory.dmp

                Filesize

                512KB

              • memory/2212-91-0x0000000000400000-0x0000000000653000-memory.dmp

                Filesize

                2.3MB

              • memory/2360-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

                Filesize

                4KB

              • memory/2360-1-0x0000000000B80000-0x0000000001168000-memory.dmp

                Filesize

                5.9MB

              • memory/2460-52-0x000000002AA00000-0x000000002AA05000-memory.dmp

                Filesize

                20KB

              • memory/2460-37-0x000000002AA00000-0x000000002AA05000-memory.dmp

                Filesize

                20KB

              • memory/2472-97-0x0000000000400000-0x0000000000541000-memory.dmp

                Filesize

                1.3MB

              • memory/2620-96-0x0000000000400000-0x0000000000454000-memory.dmp

                Filesize

                336KB

              • memory/2684-60-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

              • memory/2684-95-0x0000000000400000-0x000000000041D000-memory.dmp

                Filesize

                116KB

              • memory/2792-15-0x0000000000CA0000-0x0000000001288000-memory.dmp

                Filesize

                5.9MB