Analysis
-
max time kernel
12s -
max time network
13s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
QI.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
QI.exe
Resource
win10v2004-20240419-en
Errors
General
-
Target
QI.exe
-
Size
5.9MB
-
MD5
352c1cd1b44a666a3535c9b1f2c578d0
-
SHA1
e335a89a43596ce4bc1e25a1a63a8ec5a480f9ab
-
SHA256
70d313b32680b46843d8bb85d3c38f60a0907aee88cc5ac7f446e7809375e447
-
SHA512
d82f18300789a4110d7f3f509e5171fea5ef86760125c877a5577f0747b29024bb4f7af7ebbbb066c5d39501c89f115ba83808183aa1609b324f1441bca85e94
-
SSDEEP
98304:JFJ895z6ubxEWOUkEE8vT5epqdse9dHCkvRvCgJWGu78JDaKX2O6RJXTg:J72N6u6WOh8vlfdzvRvrJ1uYBaGmXX
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1624 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation QI.exe Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation QI.EXE -
Executes dropped EXE 8 IoCs
pid Process 1648 QI.EXE 4420 crazywarningicons.exe 2028 erroricons.exe 1912 pizdec.exe 3572 [email protected] 3712 start.exe 1172 sys3.exe 4864 1111.exe -
resource yara_rule behavioral2/files/0x0031000000023bb5-76.dat upx behavioral2/memory/3712-82-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/3712-104-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QI = "C:\\0079952\\QI.EXE" QI.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 pizdec.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4244 schtasks.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "42" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1624 powershell.exe 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1624 powershell.exe Token: SeShutdownPrivilege 1172 sys3.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4436 LogonUI.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2192 wrote to memory of 1624 2192 QI.exe 87 PID 2192 wrote to memory of 1624 2192 QI.exe 87 PID 2192 wrote to memory of 4244 2192 QI.exe 89 PID 2192 wrote to memory of 4244 2192 QI.exe 89 PID 2192 wrote to memory of 1648 2192 QI.exe 91 PID 2192 wrote to memory of 1648 2192 QI.exe 91 PID 1648 wrote to memory of 4420 1648 QI.EXE 96 PID 1648 wrote to memory of 4420 1648 QI.EXE 96 PID 1648 wrote to memory of 4420 1648 QI.EXE 96 PID 1648 wrote to memory of 2028 1648 QI.EXE 97 PID 1648 wrote to memory of 2028 1648 QI.EXE 97 PID 1648 wrote to memory of 2028 1648 QI.EXE 97 PID 1648 wrote to memory of 1912 1648 QI.EXE 98 PID 1648 wrote to memory of 1912 1648 QI.EXE 98 PID 1648 wrote to memory of 1912 1648 QI.EXE 98 PID 1648 wrote to memory of 3572 1648 QI.EXE 99 PID 1648 wrote to memory of 3572 1648 QI.EXE 99 PID 1648 wrote to memory of 3712 1648 QI.EXE 100 PID 1648 wrote to memory of 3712 1648 QI.EXE 100 PID 1648 wrote to memory of 3712 1648 QI.EXE 100 PID 1912 wrote to memory of 1172 1912 pizdec.exe 101 PID 1912 wrote to memory of 1172 1912 pizdec.exe 101 PID 1912 wrote to memory of 1172 1912 pizdec.exe 101 PID 1648 wrote to memory of 4864 1648 QI.EXE 103 PID 1648 wrote to memory of 4864 1648 QI.EXE 103 PID 1648 wrote to memory of 4864 1648 QI.EXE 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\QI.exe"C:\Users\Admin\AppData\Local\Temp\QI.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\0079952\QI.EXE'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "QI" /SC ONLOGON /TR "C:\0079952\QI.EXE" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:4244
-
-
C:\0079952\QI.EXE"C:\0079952\QI.EXE"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\crazywarningicons.exe"C:\Users\Admin\AppData\Local\Temp\crazywarningicons.exe"3⤵
- Executes dropped EXE
PID:4420
-
-
C:\Users\Admin\AppData\Local\Temp\erroricons.exe"C:\Users\Admin\AppData\Local\Temp\erroricons.exe"3⤵
- Executes dropped EXE
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\pizdec.exe"C:\Users\Admin\AppData\Local\Temp\pizdec.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:3572
-
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"3⤵
- Executes dropped EXE
PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\1111.exe"C:\Users\Admin\AppData\Local\Temp\1111.exe"3⤵
- Executes dropped EXE
PID:4864
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39b6055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD56e5e7f2f5ddb3ae96e0b554af23f7d8a
SHA11db98b50cd29f1d9b56aad8e1440ba239829e65c
SHA256cba6b4b8a352174cedc24d216250d3e389ff5c06aa0b063869084bd2a85784d1
SHA512ac48c21e99aa0e1279d868b98a10d36bc0d3d2150cf88e9e666dcca2d5ccc045a886546f7d0117af5ff34d156cad0ecbe74a97e767e5e6447ef1c4171c7bdab9
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
4.6MB
MD5d76f5511907522ebe06e829de7b5ed52
SHA1090abee096762c74879cc64197201011d09a6928
SHA256248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776
SHA5128e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae
-
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize68KB
MD5bc1e7d033a999c4fd006109c24599f4d
SHA1b927f0fc4a4232a023312198b33272e1a6d79cec
SHA25613adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
Filesize
1.2MB
MD5e21bb4749a8b1b6fc26a7bcf57781836
SHA189cb0bd80d691ca650ad01551be3acefa2256ebd
SHA2560ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b
-
Filesize
316KB
MD57f31508d95be3fe50e4e9aa646e86a12
SHA1c61b439d6e17d630728f48c09b36af2647940748
SHA256994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA5122e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda
-
Filesize
10KB
MD5f35633ae6d4ed40fce9b5b62dd575d79
SHA1df952be90c5447bac8db8a3bb2c31d6820a9e2a0
SHA25697b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c
SHA5124b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952
-
Filesize
47KB
MD57a6212aaed7b0851de879a270928417d
SHA19c896a347ae1e568e045b1061938f0a56728d1c5
SHA256df3ee675829d7eeb051583b399909a0ac9d0b3e868c6850ecaa5d11a9e563c20
SHA5126c21ea1cff7dfab081275808a4d3a3e2b081c2bc6a3d58b3b3ddbd714ee5e7091f8edaeb267bc8a887c77ac6de68cdc72dfd5bf1ae16cbe687af450d290adaa9
-
Filesize
44B
MD51dd43ba56e91654ef01caf1352776b8d
SHA1507c048cf3cff79355e93d6d84e2cd57d00e1687
SHA256230539442f6c634c45e17b17baeb9a20e32460f13f430abc484c334025926de5
SHA51214939d00a494c13dd895cd3a3428e793ca0fe710ad97b97b5867a3ad8aa46119bf07415a492fa6e2b067aae6b74c5dd0ea00c0b0b5b302a1d1b893ae0ba20886