467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7

Analysis

max time kernel
141s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
Size

15.7MB
MD5

b90a860c6e95b05488323d61f3d0f358
SHA1

eae479271a92092f95d729c64b97750de0dce633
SHA256

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7
SHA512

9a092a3c018e8bd5469ece0dbf20a8a9bbd1bf000feb2453888e0c25870d0c8f65484a369688ded57fafb9b7a3eb5606416d97deaaa3147f601218132bae8076
SSDEEP

393216:TpQDbvtSyNQadsI9Tq6yI1MAaJJGfNE4iuvYi1L:TUjtSyCaKWqhdQlEOd1L

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 14 IoCs

Processes:

ujysystem.exeujysystem.exewimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.execxdir.execxdir.execxdir.execxdir.exewimlib.EXEwimlib.EXE

pid	process
232	ujysystem.exe
1112	ujysystem.exe
2060	wimlib.EXE
1260	Qiibiosinfo.exe
2340	Qiibiosinfo.exe
1816	Qiibiosinfo.exe
3304	Qiibiosinfo.exe
4792	QiiPECMD.exe
3152	cxdir.exe
3364	cxdir.exe
2504	cxdir.exe
2020	cxdir.exe
3412	wimlib.EXE
2152	wimlib.EXE

Loads dropped DLL 3 IoCs

Processes:

wimlib.EXEwimlib.EXEwimlib.EXE

pid process

2060 wimlib.EXE
3412 wimlib.EXE
2152 wimlib.EXE

pid	process
2060	wimlib.EXE
3412	wimlib.EXE
2152	wimlib.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Temp\UjyQii\Qiibiosinfo.exe	upx
behavioral2/memory/1260-167-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx
behavioral2/memory/1260-192-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx
behavioral2/memory/2340-195-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx
behavioral2/memory/2340-194-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx
behavioral2/memory/1816-197-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx
behavioral2/memory/3304-199-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exeQiiPECMD.exe

description	ioc	process
File opened (read-only)	\??\A:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\B:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\H:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\I:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\L:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\P:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\Q:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\V:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\F:	QiiPECMD.exe
File opened (read-only)	\??\J:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\K:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\M:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\N:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\E:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\G:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\R:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\S:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\T:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\U:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\O:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\W:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\X:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\Y:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
File opened (read-only)	\??\Z:	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

cxdir.execxdir.execxdir.execxdir.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

wimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.exewimlib.EXEwimlib.EXE

description	pid	process
Token: SeBackupPrivilege	2060	wimlib.EXE
Token: SeSecurityPrivilege	2060	wimlib.EXE
Token: SeRestorePrivilege	2060	wimlib.EXE
Token: SeSecurityPrivilege	2060	wimlib.EXE
Token: SeTakeOwnershipPrivilege	2060	wimlib.EXE
Token: SeManageVolumePrivilege	2060	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	1260	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	2340	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	1816	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	3304	Qiibiosinfo.exe
Token: SeBackupPrivilege	4792	QiiPECMD.exe
Token: SeRestorePrivilege	4792	QiiPECMD.exe
Token: 33	4792	QiiPECMD.exe
Token: SeIncBasePriorityPrivilege	4792	QiiPECMD.exe
Token: SeBackupPrivilege	3412	wimlib.EXE
Token: SeSecurityPrivilege	3412	wimlib.EXE
Token: SeRestorePrivilege	3412	wimlib.EXE
Token: SeSecurityPrivilege	3412	wimlib.EXE
Token: SeTakeOwnershipPrivilege	3412	wimlib.EXE
Token: SeManageVolumePrivilege	3412	wimlib.EXE
Token: SeBackupPrivilege	2152	wimlib.EXE
Token: SeSecurityPrivilege	2152	wimlib.EXE
Token: SeRestorePrivilege	2152	wimlib.EXE
Token: SeSecurityPrivilege	2152	wimlib.EXE
Token: SeTakeOwnershipPrivilege	2152	wimlib.EXE
Token: SeManageVolumePrivilege	2152	wimlib.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exeujysystem.exeujysystem.exe

pid	process
4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
232	ujysystem.exe
232	ujysystem.exe
1112	ujysystem.exe
1112	ujysystem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4400 wrote to memory of 4636	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4636	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4636 wrote to memory of 232	4636	cmd.exe	ujysystem.exe
PID 4636 wrote to memory of 232	4636	cmd.exe	ujysystem.exe
PID 4636 wrote to memory of 232	4636	cmd.exe	ujysystem.exe
PID 4400 wrote to memory of 4508	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4508	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4508 wrote to memory of 1112	4508	cmd.exe	ujysystem.exe
PID 4508 wrote to memory of 1112	4508	cmd.exe	ujysystem.exe
PID 4508 wrote to memory of 1112	4508	cmd.exe	ujysystem.exe
PID 4400 wrote to memory of 3732	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3732	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3732	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 3732 wrote to memory of 2060	3732	cmd.exe	wimlib.EXE
PID 3732 wrote to memory of 2060	3732	cmd.exe	wimlib.EXE
PID 4400 wrote to memory of 3532	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3532	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3532	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 3532 wrote to memory of 1260	3532	cmd.exe	Qiibiosinfo.exe
PID 3532 wrote to memory of 1260	3532	cmd.exe	Qiibiosinfo.exe
PID 4400 wrote to memory of 1268	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 1268	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 1268	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 1268 wrote to memory of 2340	1268	cmd.exe	Qiibiosinfo.exe
PID 1268 wrote to memory of 2340	1268	cmd.exe	Qiibiosinfo.exe
PID 4400 wrote to memory of 4728	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4728	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4728	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4728 wrote to memory of 1816	4728	cmd.exe	Qiibiosinfo.exe
PID 4728 wrote to memory of 1816	4728	cmd.exe	Qiibiosinfo.exe
PID 4400 wrote to memory of 3508	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3508	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 3508	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 3508 wrote to memory of 3304	3508	cmd.exe	Qiibiosinfo.exe
PID 3508 wrote to memory of 3304	3508	cmd.exe	Qiibiosinfo.exe
PID 4400 wrote to memory of 392	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 392	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 392	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 392 wrote to memory of 4792	392	cmd.exe	QiiPECMD.exe
PID 392 wrote to memory of 4792	392	cmd.exe	QiiPECMD.exe
PID 4400 wrote to memory of 4632	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4632	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4632	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4632 wrote to memory of 3152	4632	cmd.exe	cxdir.exe
PID 4632 wrote to memory of 3152	4632	cmd.exe	cxdir.exe
PID 4400 wrote to memory of 4592	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4592	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4592	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4592 wrote to memory of 3364	4592	cmd.exe	cxdir.exe
PID 4592 wrote to memory of 3364	4592	cmd.exe	cxdir.exe
PID 4400 wrote to memory of 544	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 544	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 544	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 544 wrote to memory of 2504	544	cmd.exe	cxdir.exe
PID 544 wrote to memory of 2504	544	cmd.exe	cxdir.exe
PID 4400 wrote to memory of 4244	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4244	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 4244	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4244 wrote to memory of 2020	4244	cmd.exe	cxdir.exe
PID 4244 wrote to memory of 2020	4244	cmd.exe	cxdir.exe
PID 4400 wrote to memory of 1136	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 1136	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 4400 wrote to memory of 1136	4400	467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe	cmd.exe
PID 1136 wrote to memory of 3412	1136	cmd.exe	wimlib.EXE

C:\Users\Admin\AppData\Local\Temp\467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe
"C:\Users\Admin\AppData\Local\Temp\467c508449c97b398a813a55094597b03daec52196f5cc40cbf9d1a0873f97e7.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismyzvkn\
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismyzvkn\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --smbios
2⤵
- Suspicious use of WriteProcessMemory
PID:3532

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --smbios
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:4728

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Temp\UjyQii\QiiPECMD.exe
C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4632

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
2⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
2⤵
PID:3028

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\UjyQii\OSDownload.cfg
Filesize
360B

MD5
8fa75ff72aa2c13fbe1bf9c6066f4aee

SHA1
8b9a88db59cf27d95e503040ea6fd8dd0c351b20

SHA256
2260dd03a2f589e6cf02c9a243ddd1520c1d5bbab9a20e78fc75518b7c29fe36

SHA512
907b4fc6ce20bd22a6b444c2077ded4fd975dc23415ad64583cd0dad43a4dbfe26b101941d72bac456de93cc0c476c112c88c780cd70e55529a207908bac0820

Download Submit
C:\Temp\UjyQii\QiiImagex.EXE
Filesize
845KB

MD5
dcd13e8935cd5a235d6d3124fc9d8bc2

SHA1
41426a7d1c5932ac6853186e41797f94c043e7dc

SHA256
3d68842a89267810e4fbfa73e57d4a6519ae3269190c066cfab3e7650542465e

SHA512
c06569b6080161d26776cda16aadcb5b8c5038b1809d57bc5c6c016710736368ab4f658c6d7b71fbfafb945b045d69c5f89592b537a048458622e521da1f7c5e

Download Submit
C:\Temp\UjyQii\QiiPECMD.exe
Filesize
1.3MB

MD5
99007d06809fc6e424490f02657cb1d6

SHA1
7bfb1077c82a08509360fbcf3e65b4799504d332

SHA256
4f31fe97180c161aacfa5b1900ceeec2073a20ebe6b33c0a2ae807cb09441565

SHA512
5beb2bba290aab47fb4cc1a65ea12e8a0efb4965a25f0700db7f6de2cbd175ce6cb40cbe713d5bc551c484e8030da85b946e625200fcae0841000ea9ea153958

Download Submit
C:\Temp\UjyQii\Qiibiosinfo.exe
Filesize
163KB

MD5
16d6dffcdedb07cc5d904418116f7342

SHA1
2d2a4eae6812509278d0972dcf1d2bee92d4f862

SHA256
9b4f7ffa79f80af1bc81f5996562894f346ff20231af54082d68a75b0c3b9a40

SHA512
f0ffe189894a8468083349c49dd38f8ad543b29cb504f2a048d75b95971c6133ba3a75ed717c83ad26d98fbf238c7681ec2f9a7928840474175497f847c46749

Download Submit
C:\Temp\UjyQii\config.dll
Filesize
1KB

MD5
c05e627e2ceb10d27c8ea7e34d31dfa8

SHA1
1c5b963b58d46733c19be4316daed7f9ac81f4d3

SHA256
01c16a9cf4a4ae898303da84779ca7ef7277301020f8c51fcc3f23396463d3b5

SHA512
3d307a70a913dead3e599a4014d8994b4c05c63999d6bd76f51474b9d6adbff20883cff1c053ade3b50a91c45598e28931ce1d3dfe61efa43063895abc6edf52

Download Submit
C:\Temp\UjyQii\cxdir.exe
Filesize
42KB

MD5
2aa80509e9840822a3b6799a356efe90

SHA1
3dc558c97b209c91b7b45f90624f80c05c9094d0

SHA256
301ccb6e3f8a5118d7882963715e215140f0b7528039cab3fcd7ace02a48da0d

SHA512
9d4e5f95ef444424857e55c345d56ac679005a0bdfddf59fb96f078a5913e7be5ba07cd16993878815dc9d2364d909f20d8b7d65b09bd2ec687622f5812c6bc2

Download Submit
C:\Temp\UjyQii\dism.wim
Filesize
3.1MB

MD5
cd6a67b7fa1958f0b6879009f38c3e3b

SHA1
f92f534dd6c7ba3d9edd7bec292d0a489afbe50c

SHA256
14e348aa7e8dcd4094993102a09e8309ea8f327d57febd73034b19f792cf6090

SHA512
225fc4d92976cc1236db77215a36a3a1977ac396c8146cd54a5984569483d3c96d6f345c07d961b5318d4d1dd85b1a7096cd091b2e5bce3a5cdbb774604109b8

Download Submit
C:\Temp\UjyQii\dismyzvkn\X64\dism.exe
Filesize
329KB

MD5
f350e791f2ed95fb4a6fc50a0ea32b37

SHA1
472a3de24cd10913354798d51082d20fb166b2b1

SHA256
3c63ddb1e3f10ad6aa96ad7e35a080495e32cd748dbdbc0460f3f93beeee6b7f

SHA512
4b50aa71bec1aea7e18bd6b4c930942f513e2e8f55e7de217e5f7e19e0363f8f202dd75c9efb4a9b3f5046a90315a99614595ca13fffc4b3c80f9e2a44f5f51b

Download Submit
C:\Temp\UjyQii\libwim-15.dll
Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Temp\UjyQii\ujysystem.exe
Filesize
833KB

MD5
dec5ca26876a565fc8385e18cdf7146f

SHA1
44964b076be3c1f1d3b8f57553791fb7d9cf71dd

SHA256
42a2c19262795cccc5dcb3c5ffd17bb2b07f5da5a8fda14f965deb9419140a2a

SHA512
efe166e3b481a1bac027c386853e7e6ab9e531e981e2bf74b513d1a81c17cafe75c0850211e72beacd3f514961b072e83ba17a886d7700a45e6352a84c50068e

Download Submit
C:\Temp\UjyQii\wimlib.EXE
Filesize
135KB

MD5
b31b05e78bc60474cc511974b8ebd63e

SHA1
48de3c65d7c5544b78322d32aaef8492c889a5f5

SHA256
102e24cb2e77b8354658924be1e9b2597cee215409539dfc2e19f14d3cd2b1a1

SHA512
0f25754551de7168494f78d1e3264a007177591d767662b1dfda80b4156cfedf2e9ea2f437e0b212197e9509b6cde06e2c80f550db42a321347eaf1a973bed32

Download Submit
memory/232-6-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/232-9-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/232-11-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/232-7-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1112-16-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1112-21-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1112-20-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1112-18-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/1260-192-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/1260-227-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/1260-167-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/1816-197-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/2020-212-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-141-0x00007FF76B0F0000-0x00007FF76B11A000-memory.dmp

Filesize
168KB

Download
memory/2060-142-0x00007FF868E10000-0x00007FF868EFA000-memory.dmp

Filesize
936KB

Download
memory/2152-224-0x00007FF868E10000-0x00007FF868EFA000-memory.dmp

Filesize
936KB

Download
memory/2152-223-0x00007FF76B0F0000-0x00007FF76B11A000-memory.dmp

Filesize
168KB

Download
memory/2340-195-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/2340-194-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/2504-210-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3152-206-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3304-199-0x00007FF67BFD0000-0x00007FF67D7A1000-memory.dmp

Filesize
23.8MB

Download
memory/3364-208-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3412-217-0x00007FF76B0F0000-0x00007FF76B11A000-memory.dmp

Filesize
168KB

Download
memory/3412-218-0x00007FF868E10000-0x00007FF868EFA000-memory.dmp

Filesize
936KB

Download
memory/4400-0-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/4400-1-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/4400-15-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/4400-8-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/4400-225-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/4400-226-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/4400-17-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download