Analysis

  • max time kernel
    317s
  • max time network
    319s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2024, 09:28

Errors

Reason
Machine shutdown

General

  • Target

    QI.exe

  • Size

    5.9MB

  • MD5

    789b1ac7b64ef592aaae4f4dfb0db7cc

  • SHA1

    ab0a8b36004947a4e99975f3f48a47378b9d1b34

  • SHA256

    e740b975892814f7e3de95064e387a8849a1bf229428dadc012d326da2a7fb57

  • SHA512

    edb28ec8840ede950ed68c10311bc15020d38cd6b346bf4ee716118f79b2cb9ea64d6e8b1e8d98650b8039666a6818c5bba13865b41d53a89b174a8b3bd480f8

  • SSDEEP

    98304:Fsax1rwy8aT8jyE8oLm1wAIwsHST9nfJFijmNk48piH2F4w0FSRiGARGnarLYg29:+raT8uEhUsHST9nbi6NFH2FI8iN8naH+

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QI.exe
    "C:\Users\Admin\AppData\Local\Temp\QI.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe
        crazyinvers.exe
        3⤵
        • Executes dropped EXE
        PID:2012
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe
        crazywarningicons.exe
        3⤵
        • Executes dropped EXE
        PID:5008
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe
        erroricons.exe
        3⤵
        • Executes dropped EXE
        PID:3252
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe
        1111.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:4352
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4376
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 300
            5⤵
            • Delays execution with timeout.exe
            PID:588
          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe
            pizdec.exe
            5⤵
            • Executes dropped EXE
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Users\Admin\AppData\Local\Temp\sys3.exe
              C:\Users\Admin\AppData\Local\Temp\\sys3.exe
              6⤵
              • Executes dropped EXE
              • Writes to the Master Boot Record (MBR)
              • Suspicious use of AdjustPrivilegeToken
              PID:2484
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa38c3855 /state1:0x41c64e6d
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe

          Filesize

          4.6MB

          MD5

          d76f5511907522ebe06e829de7b5ed52

          SHA1

          090abee096762c74879cc64197201011d09a6928

          SHA256

          248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776

          SHA512

          8e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

          Filesize

          68KB

          MD5

          bc1e7d033a999c4fd006109c24599f4d

          SHA1

          b927f0fc4a4232a023312198b33272e1a6d79cec

          SHA256

          13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

          SHA512

          f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.exe

          Filesize

          2.3MB

          MD5

          a44458813e819777013eb3e644d74362

          SHA1

          2dd0616ca78e22464cf0cf68ef7915358a16f9ee

          SHA256

          47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

          SHA512

          1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.exe

          Filesize

          1.2MB

          MD5

          e21bb4749a8b1b6fc26a7bcf57781836

          SHA1

          89cb0bd80d691ca650ad01551be3acefa2256ebd

          SHA256

          0ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c

          SHA512

          b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exe

          Filesize

          316KB

          MD5

          7f31508d95be3fe50e4e9aa646e86a12

          SHA1

          c61b439d6e17d630728f48c09b36af2647940748

          SHA256

          994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

          SHA512

          2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exe

          Filesize

          10KB

          MD5

          f35633ae6d4ed40fce9b5b62dd575d79

          SHA1

          df952be90c5447bac8db8a3bb2c31d6820a9e2a0

          SHA256

          97b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c

          SHA512

          4b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat

          Filesize

          815B

          MD5

          f1ab5f5c9b58c3079d3184d263a15104

          SHA1

          870dfbd1219497389eaf590a16cf9011975113c7

          SHA256

          b20daedd6b3f51a84f7ac88e90aeac6a7f334cb8f5bdae138e10911ca47dc222

          SHA512

          f99410afd2298e751c6f37f5db3ada32e675bab87c6f14599bc39d0bad89d399283fa0f820bee41dedd260454d6b3749e7460b940ff66519ec8e1aee27efc15d

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs

          Filesize

          117B

          MD5

          8099c67a9631789db03e90d7b7bf0980

          SHA1

          4fbf9f44825a1184b24a0d957b20a850f3b07c42

          SHA256

          88a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206

          SHA512

          c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat

          Filesize

          163B

          MD5

          71bdd5f2a82ddb4537898c420327c080

          SHA1

          a6a67d3b0b8eb6a23f1da06e264c57ead3f3c579

          SHA256

          9b621f3f99c45ffe166a2389f3285110c4c2a189dd1ce95145778bc97c6464c1

          SHA512

          76f522afdf779e36bf385f4ebf3ff0567f9675d1e3fa7b5648380e0e48dbdc0ffe2005642831e58910c242715aeec85a1b0c7ab43470d145a64913d7fe3711e2

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\php5ts.dll

          Filesize

          6.5MB

          MD5

          c9aff68f6673fae7580527e8c76805b6

          SHA1

          bb62cc1db82cfe07a8c08a36446569dfc9c76d10

          SHA256

          9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4

          SHA512

          c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe

          Filesize

          3.4MB

          MD5

          fdad1b564558765657cb835752b47e7c

          SHA1

          3c94e9acc969b66aab45eb8a60a77b27691950b2

          SHA256

          9b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5

          SHA512

          d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e

        • C:\Users\Admin\AppData\Local\Temp\systm.txt

          Filesize

          52B

          MD5

          d94e00dfb41542029aaf53f329f33c7d

          SHA1

          010eac3cd5e1d2312930091c6c804f4c5ad58dde

          SHA256

          82af09d3c68b25a393879906b7197f4dbe30c3dbe1b9b2817eefddea6d96cb03

          SHA512

          dec4743ce68538395b4915e8fd3f932a02ee08d82ac899b278ea91c44e747076353a81a48de04ff4e4513d2b7e3764c564240319e4975dd00920f78189582639

        • memory/2012-64-0x0000000000400000-0x0000000000582000-memory.dmp

          Filesize

          1.5MB

        • memory/2108-72-0x0000000001420000-0x0000000001430000-memory.dmp

          Filesize

          64KB

        • memory/2108-56-0x000000001C4C0000-0x000000001C55C000-memory.dmp

          Filesize

          624KB

        • memory/2108-44-0x000000001B8F0000-0x000000001B996000-memory.dmp

          Filesize

          664KB

        • memory/2108-53-0x000000001BEF0000-0x000000001C3BE000-memory.dmp

          Filesize

          4.8MB

        • memory/2108-61-0x000000001B9B0000-0x000000001B9B8000-memory.dmp

          Filesize

          32KB

        • memory/2108-38-0x0000000001420000-0x0000000001430000-memory.dmp

          Filesize

          64KB

        • memory/2108-63-0x000000001C620000-0x000000001C66C000-memory.dmp

          Filesize

          304KB

        • memory/2484-194-0x000000002AA00000-0x000000002AA05000-memory.dmp

          Filesize

          20KB

        • memory/3000-191-0x000000002AA00000-0x000000002AA05000-memory.dmp

          Filesize

          20KB

        • memory/3252-66-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

        • memory/4352-67-0x0000000000400000-0x0000000000653000-memory.dmp

          Filesize

          2.3MB

        • memory/5008-65-0x0000000000400000-0x0000000000541000-memory.dmp

          Filesize

          1.3MB