17f6db60e10ee09d7cc2b51b9147a828ec9990a50c4e1c682d26432dd924f24e

Analysis

max time kernel
1556s
max time network
1563s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EDR-Agent-Personal_1.1.19.15_windows_x64.exe
Size

261.5MB
MD5

fd2e879c19d3b6046d1399e8f1b4aec9
SHA1

794001f1311a378ff3a4e38ad5fbc8dc83c9c4a5
SHA256

17f6db60e10ee09d7cc2b51b9147a828ec9990a50c4e1c682d26432dd924f24e
SHA512

eaf4d0f3513ee4db4756cbe98aaacfb3d877b16e99cc5c97048cd55e7b37681aca4f4fe81761afd11737f164c008eb8e8a06a16bfc8fb4395ce1e6aeecaa592b
SSDEEP

6291456:pZmFDn45ofGEjXDVTrMB/YvdHwjTb/7TPAZmFDn45ok:pZe456Pvm/IdHgTDgZe45X

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 18 IoCs

Processes:

EDR-Agent-Personal_1.1.19.15_windows_x64.exeEDR-Agent-Personal_1.1.19.15_windows_x64.exe

pid	process
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

EDR-Agent-Personal_1.1.19.15_windows_x64.exeEDR-Agent-Personal_1.1.19.15_windows_x64.exe

description	ioc	process
File opened (read-only)	\??\F:	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
File opened (read-only)	\??\F:	EDR-Agent-Personal_1.1.19.15_windows_x64.exe

Drops file in Program Files directory 1 IoCs

Processes:

EDR-Agent-Personal_1.1.19.15_windows_x64.exe

description ioc process

File opened for modification C:\Program Files\QianKun-EDR-Agent\logs\install.log EDR-Agent-Personal_1.1.19.15_windows_x64.exe
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2284 sc.exe
2468 sc.exe
2704 sc.exe
2324 sc.exe
1016 sc.exe
2784 sc.exe
3008 sc.exe
1876 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\QianKun-EDR-Agent\logs\install.log	EDR-Agent-Personal_1.1.19.15_windows_x64.exe

pid	process
2284	sc.exe
2468	sc.exe
2704	sc.exe
2324	sc.exe
1016	sc.exe
2784	sc.exe
3008	sc.exe
1876	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EDR-Agent-Personal_1.1.19.15_windows_x64.execmd.execmd.execmd.execmd.exeEDR-Agent-Personal_1.1.19.15_windows_x64.execmd.execmd.exe

description	pid	process	target process
PID 1616 wrote to memory of 1368	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1368	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1368	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1368	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1368 wrote to memory of 2468	1368	cmd.exe	sc.exe
PID 1368 wrote to memory of 2468	1368	cmd.exe	sc.exe
PID 1368 wrote to memory of 2468	1368	cmd.exe	sc.exe
PID 1368 wrote to memory of 2468	1368	cmd.exe	sc.exe
PID 1368 wrote to memory of 2476	1368	cmd.exe	findstr.exe
PID 1368 wrote to memory of 2476	1368	cmd.exe	findstr.exe
PID 1368 wrote to memory of 2476	1368	cmd.exe	findstr.exe
PID 1368 wrote to memory of 2476	1368	cmd.exe	findstr.exe
PID 1616 wrote to memory of 356	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 356	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 356	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 356	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 356 wrote to memory of 2704	356	cmd.exe	sc.exe
PID 356 wrote to memory of 2704	356	cmd.exe	sc.exe
PID 356 wrote to memory of 2704	356	cmd.exe	sc.exe
PID 356 wrote to memory of 2704	356	cmd.exe	sc.exe
PID 1616 wrote to memory of 1288	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1288	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1288	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 1288	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	sc.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	sc.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	sc.exe
PID 1288 wrote to memory of 2324	1288	cmd.exe	sc.exe
PID 1616 wrote to memory of 752	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 752	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 752	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1616 wrote to memory of 752	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 752 wrote to memory of 1016	752	cmd.exe	sc.exe
PID 752 wrote to memory of 1016	752	cmd.exe	sc.exe
PID 752 wrote to memory of 1016	752	cmd.exe	sc.exe
PID 752 wrote to memory of 1016	752	cmd.exe	sc.exe
PID 1616 wrote to memory of 2728	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
PID 1616 wrote to memory of 2728	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
PID 1616 wrote to memory of 2728	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
PID 1616 wrote to memory of 2728	1616	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	EDR-Agent-Personal_1.1.19.15_windows_x64.exe
PID 2728 wrote to memory of 1800	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1800	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1800	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1800	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 1800 wrote to memory of 2784	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 2784	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 2784	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 2784	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 376	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 376	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 376	1800	cmd.exe	findstr.exe
PID 1800 wrote to memory of 376	1800	cmd.exe	findstr.exe
PID 2728 wrote to memory of 916	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 916	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 916	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 916	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 916 wrote to memory of 3008	916	cmd.exe	sc.exe
PID 916 wrote to memory of 3008	916	cmd.exe	sc.exe
PID 916 wrote to memory of 3008	916	cmd.exe	sc.exe
PID 916 wrote to memory of 3008	916	cmd.exe	sc.exe
PID 2728 wrote to memory of 1676	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1676	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1676	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe
PID 2728 wrote to memory of 1676	2728	EDR-Agent-Personal_1.1.19.15_windows_x64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\EDR-Agent-Personal_1.1.19.15_windows_x64.exe
"C:\Users\Admin\AppData\Local\Temp\EDR-Agent-Personal_1.1.19.15_windows_x64.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query EdrDriver | findstr RUNNING"
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\sc.exe
sc query EdrDriver
3⤵
- Launches sc.exe
PID:2468

C:\Windows\SysWOW64\findstr.exe
findstr RUNNING
3⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR DaemonService"
2⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR DaemonService
3⤵
- Launches sc.exe
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR Service
3⤵
- Launches sc.exe
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR Manager Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR Manager Service
3⤵
- Launches sc.exe
PID:1016

C:\Users\Admin\AppData\Local\Temp\EDR-Agent-Personal_1.1.19.15_windows_x64.exe
C:\Users\Admin\AppData\Local\Temp\EDR-Agent-Personal_1.1.19.15_windows_x64.exe
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query EdrDriver | findstr RUNNING"
3⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\sc.exe
sc query EdrDriver
4⤵
- Launches sc.exe
PID:2784

C:\Windows\SysWOW64\findstr.exe
findstr RUNNING
4⤵
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR DaemonService"
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR DaemonService
4⤵
- Launches sc.exe
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR Service"
3⤵
PID:1676

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR Service
4⤵
- Launches sc.exe
PID:1876

C:\Windows\SysWOW64\cmd.exe
cmd /c "sc query "QianKun EDR Manager Service"
3⤵
PID:2364

C:\Windows\SysWOW64\sc.exe
sc query "QianKun EDR Manager Service
4⤵
- Launches sc.exe
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd2740.tmp\installconfig.ini

Filesize
26KB

MD5
1890d5fdeac6c577511b7eff11218a84

SHA1
45f6ca97daf9300f9ee8c1db4b1f313dab0ac7a2

SHA256
05887a59e229947d1ec12b03aa5e55a28d72dea6f1fa25c081b659274ae3c37a

SHA512
c069304a1cad6b39c0c5b1c4d4d821ea35d24a25ae2a2546d8f72de1d40e1b95f3c4001604917389344842e6c00ef58552d26d0659989d94ef4c5cec64fef092

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6549.tmp\bg.bmp

Filesize
1.1MB

MD5
3ae0ed24603d54a04c831af1e2dd0999

SHA1
de7a4b2f04e09b787559ae77c189e6a4de6c0d86

SHA256
7ac71549a54048a1e114d080bda91e3a17560593ffc3eed3b98329e9a78552c9

SHA512
7fc8307a1cb5a4da5a20e09b9168e6d52685db0218cc37fb27862f497347295bcb3f2043909e4e1cc2a333629507161aa238dec0aec101e60c477f430a36c3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6549.tmp\compatible.json

Filesize
4KB

MD5
70d57a55f602d49d302f6bde0fc15988

SHA1
45618c718b8e4caa9a81dde6509454d0955e4613

SHA256
a91359cf9a920cf0a769657a1918e22431a1b66f3fc874435b937bb9eafbfe79

SHA512
8c9e327687aa774701fc98e905e0477808ce0c5dd971359d2b8ff678d1a1c21c8fb8f84252fa04f63c0a6bd6f3d83813a34ff7eaba9c8727ba0f73521a6c59e0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\NsisCompChecker.dll

Filesize
1.2MB

MD5
8d40796410543c046f0b0897624f27be

SHA1
16e2577347058120113d224edf528e1c6e705d2b

SHA256
5b47206ff7dbd2d8d47947d525eb25eb3be55bff7da4f0699c6a920a9b9132a2

SHA512
9d18d89410320d16536d527fd40c128a9b0cf210df90c1a3e3b9a3c0fc38a39e2fd2d7e9dd662ed64837bbbd8b1f5db1e59d162219b2be23b20bee4e12a12910

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\NsisEdrThread.dll

Filesize
28KB

MD5
905502cfb3754b3b5b0f5edc7a1cc87d

SHA1
6b768f895681b05af6a9b6cd8c1137d643379837

SHA256
1e23d8681142ab7e2db6f0f91c874baafcf2dee91b5169df7f1d533025af21b1

SHA512
792234a0fa73b60fb64937abb97bf2aad08a8fd6406f6462eeda6aee6cd9137f78321c8336561b312af93298973e7c15110717512c4a21840ec0e2b8e7369aa0

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2740.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit