Analysis
-
max time kernel
317s -
max time network
319s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2024, 09:28
Static task
static1
Behavioral task
behavioral1
Sample
QI.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
QI.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
QI.exe
-
Size
5.9MB
-
MD5
789b1ac7b64ef592aaae4f4dfb0db7cc
-
SHA1
ab0a8b36004947a4e99975f3f48a47378b9d1b34
-
SHA256
e740b975892814f7e3de95064e387a8849a1bf229428dadc012d326da2a7fb57
-
SHA512
edb28ec8840ede950ed68c10311bc15020d38cd6b346bf4ee716118f79b2cb9ea64d6e8b1e8d98650b8039666a6818c5bba13865b41d53a89b174a8b3bd480f8
-
SSDEEP
98304:Fsax1rwy8aT8jyE8oLm1wAIwsHST9nfJFijmNk48piH2F4w0FSRiGARGnarLYg29:+raT8uEhUsHST9nbi6NFH2FI8iN8naH+
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 1111.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation QI.exe -
Executes dropped EXE 8 IoCs
pid Process 2012 crazyinvers.exe 5008 crazywarningicons.exe 3252 erroricons.exe 2108 [email protected] 4000 1111.exe 4352 project.exe 3000 pizdec.exe 2484 sys3.exe -
Loads dropped DLL 1 IoCs
pid Process 4352 project.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 pizdec.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2229298842\2573727926.pri LogonUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 588 timeout.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2484 sys3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4772 LogonUI.exe 4772 LogonUI.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3300 wrote to memory of 3484 3300 QI.exe 83 PID 3300 wrote to memory of 3484 3300 QI.exe 83 PID 3300 wrote to memory of 3484 3300 QI.exe 83 PID 3484 wrote to memory of 2012 3484 cmd.exe 88 PID 3484 wrote to memory of 2012 3484 cmd.exe 88 PID 3484 wrote to memory of 2012 3484 cmd.exe 88 PID 3484 wrote to memory of 5008 3484 cmd.exe 89 PID 3484 wrote to memory of 5008 3484 cmd.exe 89 PID 3484 wrote to memory of 5008 3484 cmd.exe 89 PID 3484 wrote to memory of 3252 3484 cmd.exe 90 PID 3484 wrote to memory of 3252 3484 cmd.exe 90 PID 3484 wrote to memory of 3252 3484 cmd.exe 90 PID 3484 wrote to memory of 2108 3484 cmd.exe 91 PID 3484 wrote to memory of 2108 3484 cmd.exe 91 PID 3484 wrote to memory of 4000 3484 cmd.exe 93 PID 3484 wrote to memory of 4000 3484 cmd.exe 93 PID 3484 wrote to memory of 4000 3484 cmd.exe 93 PID 3484 wrote to memory of 2696 3484 cmd.exe 94 PID 3484 wrote to memory of 2696 3484 cmd.exe 94 PID 3484 wrote to memory of 2696 3484 cmd.exe 94 PID 4000 wrote to memory of 4352 4000 1111.exe 95 PID 4000 wrote to memory of 4352 4000 1111.exe 95 PID 4000 wrote to memory of 4352 4000 1111.exe 95 PID 2696 wrote to memory of 4376 2696 WScript.exe 96 PID 2696 wrote to memory of 4376 2696 WScript.exe 96 PID 2696 wrote to memory of 4376 2696 WScript.exe 96 PID 4376 wrote to memory of 588 4376 cmd.exe 98 PID 4376 wrote to memory of 588 4376 cmd.exe 98 PID 4376 wrote to memory of 588 4376 cmd.exe 98 PID 4376 wrote to memory of 3000 4376 cmd.exe 121 PID 4376 wrote to memory of 3000 4376 cmd.exe 121 PID 4376 wrote to memory of 3000 4376 cmd.exe 121 PID 3000 wrote to memory of 2484 3000 pizdec.exe 122 PID 3000 wrote to memory of 2484 3000 pizdec.exe 122 PID 3000 wrote to memory of 2484 3000 pizdec.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\QI.exe"C:\Users\Admin\AppData\Local\Temp\QI.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start2.bat" "2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazyinvers.execrazyinvers.exe3⤵
- Executes dropped EXE
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\crazywarningicons.execrazywarningicons.exe3⤵
- Executes dropped EXE
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\erroricons.exeerroricons.exe3⤵
- Executes dropped EXE
PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]PID:2108
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1111.exe1111.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\project.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4352
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3005⤵
- Delays execution with timeout.exe
PID:588
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pizdec.exepizdec.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
-
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c3855 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD5d76f5511907522ebe06e829de7b5ed52
SHA1090abee096762c74879cc64197201011d09a6928
SHA256248e8e6fe3c0699f347e6651eaf79c2d820848549520850b45ab9b762dbb9776
SHA5128e7dd01b7bad9a3a3e4af3df76a8f6b3c80a20b3d3f9bd0cef8d1f0a4a6bbb893a8ab0075d0d5329a689a82ee8af2db756c1055d5be5d5417c9e6f33747dcbae
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
Filesize68KB
MD5bc1e7d033a999c4fd006109c24599f4d
SHA1b927f0fc4a4232a023312198b33272e1a6d79cec
SHA25613adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
-
Filesize
2.3MB
MD5a44458813e819777013eb3e644d74362
SHA12dd0616ca78e22464cf0cf68ef7915358a16f9ee
SHA25647f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999
SHA5121a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215
-
Filesize
1.2MB
MD5e21bb4749a8b1b6fc26a7bcf57781836
SHA189cb0bd80d691ca650ad01551be3acefa2256ebd
SHA2560ecbb8099ed1d9a1673165d3c4c9bbde88dd9678540a98b99434ff23b9e6d82c
SHA512b0ccf421e415f94b6f0497dd041a8e7693d01d72cd577eca771d2049516f7a0c8c7221da642e5c38d5bc95a2335279d36f956314bda442b99a2d244bcc73b47b
-
Filesize
316KB
MD57f31508d95be3fe50e4e9aa646e86a12
SHA1c61b439d6e17d630728f48c09b36af2647940748
SHA256994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15
SHA5122e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda
-
Filesize
10KB
MD5f35633ae6d4ed40fce9b5b62dd575d79
SHA1df952be90c5447bac8db8a3bb2c31d6820a9e2a0
SHA25697b09d2780df299384aa0f5d8184b9d5dc5df9d59715320b9afa7bdc93baa95c
SHA5124b3ec5a372ab6883cf5b7f52010c99a2b7cf787b37b0062cbb542ae3557d8410e6ec2bff07e6d2266cea35885647ca9c5d26acce93fbace884e8fca632869952
-
Filesize
815B
MD5f1ab5f5c9b58c3079d3184d263a15104
SHA1870dfbd1219497389eaf590a16cf9011975113c7
SHA256b20daedd6b3f51a84f7ac88e90aeac6a7f334cb8f5bdae138e10911ca47dc222
SHA512f99410afd2298e751c6f37f5db3ada32e675bab87c6f14599bc39d0bad89d399283fa0f820bee41dedd260454d6b3749e7460b940ff66519ec8e1aee27efc15d
-
Filesize
117B
MD58099c67a9631789db03e90d7b7bf0980
SHA14fbf9f44825a1184b24a0d957b20a850f3b07c42
SHA25688a4ed5c8caad58c8eda0d4ed6e36c98ce5b7545529da0cf41ffea4015b71206
SHA512c2ce0931eed4925e9b808250aa1335e234470571f4e2c95ffc16af972656fb0c3c8b383327d38ec7d1a5d6290e5c6800715b14c0cb93f8ec2092f8e9c3a26043
-
Filesize
163B
MD571bdd5f2a82ddb4537898c420327c080
SHA1a6a67d3b0b8eb6a23f1da06e264c57ead3f3c579
SHA2569b621f3f99c45ffe166a2389f3285110c4c2a189dd1ce95145778bc97c6464c1
SHA51276f522afdf779e36bf385f4ebf3ff0567f9675d1e3fa7b5648380e0e48dbdc0ffe2005642831e58910c242715aeec85a1b0c7ab43470d145a64913d7fe3711e2
-
Filesize
6.5MB
MD5c9aff68f6673fae7580527e8c76805b6
SHA1bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA2569b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56
-
Filesize
3.4MB
MD5fdad1b564558765657cb835752b47e7c
SHA13c94e9acc969b66aab45eb8a60a77b27691950b2
SHA2569b9f847720789d72858a6f25447ca0da4a1918cc2c1bc1e2f15ab462bb9c61e5
SHA512d04e560bd589b8c2b5f49753fa5d32d55c6978b53320639b65f4ee285154d0a216ff0765260407407e6cc6adc9b1d775c96b6a2dcdd7da1cea8a5fd175afd76e
-
Filesize
52B
MD5d94e00dfb41542029aaf53f329f33c7d
SHA1010eac3cd5e1d2312930091c6c804f4c5ad58dde
SHA25682af09d3c68b25a393879906b7197f4dbe30c3dbe1b9b2817eefddea6d96cb03
SHA512dec4743ce68538395b4915e8fd3f932a02ee08d82ac899b278ea91c44e747076353a81a48de04ff4e4513d2b7e3764c564240319e4975dd00920f78189582639