Analysis

  • max time kernel
    439s
  • max time network
    440s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 09:28

Errors

Reason
Machine shutdown

General

  • Target

    QI.exe

  • Size

    5.9MB

  • MD5

    789b1ac7b64ef592aaae4f4dfb0db7cc

  • SHA1

    ab0a8b36004947a4e99975f3f48a47378b9d1b34

  • SHA256

    e740b975892814f7e3de95064e387a8849a1bf229428dadc012d326da2a7fb57

  • SHA512

    edb28ec8840ede950ed68c10311bc15020d38cd6b346bf4ee716118f79b2cb9ea64d6e8b1e8d98650b8039666a6818c5bba13865b41d53a89b174a8b3bd480f8

  • SSDEEP

    98304:Fsax1rwy8aT8jyE8oLm1wAIwsHST9nfJFijmNk48piH2F4w0FSRiGARGnarLYg29:+raT8uEhUsHST9nbi6NFH2FI8iN8naH+

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 14 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QI.exe
    "C:\Users\Admin\AppData\Local\Temp\QI.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
        crazyinvers.exe
        3⤵
        • Executes dropped EXE
        PID:2716
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
        crazywarningicons.exe
        3⤵
        • Executes dropped EXE
        PID:2104
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
        erroricons.exe
        3⤵
        • Executes dropped EXE
        PID:2480
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
        1111.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1912
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1972
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 300
            5⤵
            • Delays execution with timeout.exe
            PID:2004
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
            pizdec.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Users\Admin\AppData\Local\Temp\sys3.exe
              C:\Users\Admin\AppData\Local\Temp\\sys3.exe
              6⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of AdjustPrivilegeToken
              PID:2348
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2244
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1672

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

              Filesize

              4.6MB

              MD5

              d76f5511907522ebe06e829de7b5ed52

              SHA1

              090abee096762c74879cc64197201011d09a6928

              SHA256

              248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776

              SHA512

              8e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

              Filesize

              68KB

              MD5

              bc1e7d033a999c4fd006109c24599f4d

              SHA1

              b927f0fc4a4232a023312198b33272e1a6d79cec

              SHA256

              13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

              SHA512

              f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

              Filesize

              2.3MB

              MD5

              a44458813e819777013eb3e644d74362

              SHA1

              2dd0616ca78e22464cf0cf68ef7915358a16f9ee

              SHA256

              47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

              SHA512

              1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

              Filesize

              1.2MB

              MD5

              e21bb4749a8b1b6fc26a7bcf57781836

              SHA1

              89cb0bd80d691ca650ad01551be3acefa2256ebd

              SHA256

              0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

              SHA512

              b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

              Filesize

              316KB

              MD5

              7f31508d95be3fe50e4e9aa646e86a12

              SHA1

              c61b439d6e17d630728f48c09b36af2647940748

              SHA256

              994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

              SHA512

              2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

              Filesize

              815B

              MD5

              f1ab5f5c9b58c3079d3184d263a15104

              SHA1

              870dfbd1219497389eaf590a16cf9011975113c7

              SHA256

              b20daedd6b3f51a84f7ac88e90aeac6a7f334cb8f5bdae138e10911ca47dc222

              SHA512

              f99410afd2298e751c6f37f5db3ada32e675bab87c6f14599bc39d0bad89d399283fa0f820bee41dedd260454d6b3749e7460b940ff66519ec8e1aee27efc15d

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

              Filesize

              117B

              MD5

              8099c67a9631789db03e90d7b7bf0980

              SHA1

              4fbf9f44825a1184b24a0d957b20a850f3b07c42

              SHA256

              88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206

              SHA512

              c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat

              Filesize

              163B

              MD5

              71bdd5f2a82ddb4537898c420327c080

              SHA1

              a6a67d3b0b8eb6a23f1da06e264c57ead3f3c579

              SHA256

              9b621f3f99c45ffe166a2389f3285110c4c2a189dd1ce95145778bc97c6464c1

              SHA512

              76f522afdf779e36bf385f4ebf3ff0567f9675d1e3fa7b5648380e0e48dbdc0ffe2005642831e58910c242715aeec85a1b0c7ab43470d145a64913d7fe3711e2

            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll

              Filesize

              6.5MB

              MD5

              c9aff68f6673fae7580527e8c76805b6

              SHA1

              bb62cc1db82cfe07a8c08a36446569dfc9c76d10

              SHA256

              9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

              SHA512

              c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

            • C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

              Filesize

              3.4MB

              MD5

              fdad1b564558765657cb835752b47e7c

              SHA1

              3c94e9acc969b66aab45eb8a60a77b27691950b2

              SHA256

              9b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5

              SHA512

              d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e

            • C:\Users\Admin\AppData\Local\Temp\systm.txt

              Filesize

              52B

              MD5

              d94e00dfb41542029aaf53f329f33c7d

              SHA1

              010eac3cd5e1d2312930091c6c804f4c5ad58dde

              SHA256

              82af09d3c68b25a393879906b7197f4dbe30c3dbe1b9b2817eefddea6d96cb03

              SHA512

              dec4743ce68538395b4915e8fd3f932a02ee08d82ac899b278ea91c44e747076353a81a48de04ff4e4513d2b7e3764c564240319e4975dd00920f78189582639

            • \Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

              Filesize

              10KB

              MD5

              f35633ae6d4ed40fce9b5b62dd575d79

              SHA1

              df952be90c5447bac8db8a3bb2c31d6820a9e2a0

              SHA256

              97b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c

              SHA512

              4b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952

            • memory/1620-228-0x000000002AA00000-0x000000002AA05000-memory.dmp

              Filesize

              20KB

            • memory/1912-113-0x0000000000400000-0x0000000000653000-memory.dmp

              Filesize

              2.3MB

            • memory/1912-109-0x0000000000400000-0x0000000000653000-memory.dmp

              Filesize

              2.3MB

            • memory/2104-107-0x0000000000400000-0x0000000000541000-memory.dmp

              Filesize

              1.3MB

            • memory/2348-236-0x000000002AA00000-0x000000002AA05000-memory.dmp

              Filesize

              20KB

            • memory/2480-108-0x0000000000400000-0x0000000000454000-memory.dmp

              Filesize

              336KB

            • memory/2716-106-0x0000000000400000-0x0000000000582000-memory.dmp

              Filesize

              1.5MB