4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452

Analysis

max time kernel
141s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
Size

15.7MB
MD5

c7c604664d5b11906b87c0fc59acc434
SHA1

394b3d8cb03da0495d4a10c5b48217aae89ed6f2
SHA256

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452
SHA512

3cce5bac053cc2215a79376ddd83fa8ee08c54602461376f14a7ebb60d27e285bcab0622c5a26d885f9b900c4603eb7c859c169646297583f8a9a4d5dc8ac41f
SSDEEP

393216:TpQDbvtSyNQadsI9Tq6yI1MAaJJGfNE4iuvYi1S:TUjtSyCaKWqhdQlEOd1S

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 12 IoCs

Processes:

ujysystem.exeujysystem.exewimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.execxdir.execxdir.execxdir.execxdir.exewimlib.EXE

pid	process
2612	ujysystem.exe
2596	ujysystem.exe
756	wimlib.EXE
2128	Qiibiosinfo.exe
556	Qiibiosinfo.exe
1860	Qiibiosinfo.exe
2448	QiiPECMD.exe
2196	cxdir.exe
2228	cxdir.exe
2452	cxdir.exe
2712	cxdir.exe
2824	wimlib.EXE

Loads dropped DLL 20 IoCs

Processes:

cmd.exewimlib.EXE4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exewimlib.EXE

pid	process
2776	cmd.exe
2776	cmd.exe
756	wimlib.EXE
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
948	cmd.exe
2096	cmd.exe
868	cmd.exe
868	cmd.exe
1564	cmd.exe
1544	cmd.exe
3040	cmd.exe
2896	cmd.exe
2824	wimlib.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Temp\UjyQii\Qiibiosinfo.exe	upx
behavioral1/memory/2128-162-0x000000013F9D0000-0x00000001411A1000-memory.dmp	upx
behavioral1/memory/556-166-0x000000013FF40000-0x0000000141711000-memory.dmp	upx
behavioral1/memory/1860-169-0x000000013FB20000-0x00000001412F1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exeQiiPECMD.exe

description	ioc	process
File opened (read-only)	\??\H:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\R:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\X:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\V:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\W:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\A:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\B:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\K:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\L:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\O:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\U:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Z:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\G:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\J:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\M:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Q:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\S:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Y:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\E:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\I:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\N:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\P:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\T:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\F:	QiiPECMD.exe

Modifies boot configuration data using bcdedit 3 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exe

pid process

2452 bcdedit.exe
2332 bcdedit.exe
2064 bcdedit.exe

pid	process
2452	bcdedit.exe
2332	bcdedit.exe
2064	bcdedit.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

cxdir.execxdir.execxdir.execxdir.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

ujysystem.exeujysystem.exe

pid process

2612 ujysystem.exe
2596 ujysystem.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

wimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.exewimlib.EXE

description	pid	process
Token: SeBackupPrivilege	756	wimlib.EXE
Token: SeSecurityPrivilege	756	wimlib.EXE
Token: SeRestorePrivilege	756	wimlib.EXE
Token: SeSecurityPrivilege	756	wimlib.EXE
Token: SeTakeOwnershipPrivilege	756	wimlib.EXE
Token: SeManageVolumePrivilege	756	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	2128	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	556	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	1860	Qiibiosinfo.exe
Token: SeBackupPrivilege	2448	QiiPECMD.exe
Token: SeRestorePrivilege	2448	QiiPECMD.exe
Token: 33	2448	QiiPECMD.exe
Token: SeIncBasePriorityPrivilege	2448	QiiPECMD.exe
Token: SeBackupPrivilege	2824	wimlib.EXE
Token: SeSecurityPrivilege	2824	wimlib.EXE
Token: SeRestorePrivilege	2824	wimlib.EXE
Token: SeSecurityPrivilege	2824	wimlib.EXE
Token: SeTakeOwnershipPrivilege	2824	wimlib.EXE
Token: SeManageVolumePrivilege	2824	wimlib.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exeujysystem.exeujysystem.exe

pid	process
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
2612	ujysystem.exe
2612	ujysystem.exe
2596	ujysystem.exe
2596	ujysystem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.execmd.execmd.exeujysystem.execmd.execmd.exeujysystem.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 2184	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2184	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2184	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2184	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2184 wrote to memory of 2452	2184	cmd.exe	bcdedit.exe
PID 2184 wrote to memory of 2452	2184	cmd.exe	bcdedit.exe
PID 2184 wrote to memory of 2452	2184	cmd.exe	bcdedit.exe
PID 2184 wrote to memory of 2452	2184	cmd.exe	bcdedit.exe
PID 3068 wrote to memory of 1272	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 1272	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 1272	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 1272	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 1272 wrote to memory of 2612	1272	cmd.exe	ujysystem.exe
PID 1272 wrote to memory of 2612	1272	cmd.exe	ujysystem.exe
PID 1272 wrote to memory of 2612	1272	cmd.exe	ujysystem.exe
PID 1272 wrote to memory of 2612	1272	cmd.exe	ujysystem.exe
PID 2612 wrote to memory of 2040	2612	ujysystem.exe	cmd.exe
PID 2612 wrote to memory of 2040	2612	ujysystem.exe	cmd.exe
PID 2612 wrote to memory of 2040	2612	ujysystem.exe	cmd.exe
PID 2612 wrote to memory of 2040	2612	ujysystem.exe	cmd.exe
PID 2040 wrote to memory of 2332	2040	cmd.exe	bcdedit.exe
PID 2040 wrote to memory of 2332	2040	cmd.exe	bcdedit.exe
PID 2040 wrote to memory of 2332	2040	cmd.exe	bcdedit.exe
PID 2040 wrote to memory of 2332	2040	cmd.exe	bcdedit.exe
PID 3068 wrote to memory of 2540	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2540	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2540	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2540	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2540 wrote to memory of 2596	2540	cmd.exe	ujysystem.exe
PID 2540 wrote to memory of 2596	2540	cmd.exe	ujysystem.exe
PID 2540 wrote to memory of 2596	2540	cmd.exe	ujysystem.exe
PID 2540 wrote to memory of 2596	2540	cmd.exe	ujysystem.exe
PID 2596 wrote to memory of 2992	2596	ujysystem.exe	cmd.exe
PID 2596 wrote to memory of 2992	2596	ujysystem.exe	cmd.exe
PID 2596 wrote to memory of 2992	2596	ujysystem.exe	cmd.exe
PID 2596 wrote to memory of 2992	2596	ujysystem.exe	cmd.exe
PID 2992 wrote to memory of 2064	2992	cmd.exe	bcdedit.exe
PID 2992 wrote to memory of 2064	2992	cmd.exe	bcdedit.exe
PID 2992 wrote to memory of 2064	2992	cmd.exe	bcdedit.exe
PID 2992 wrote to memory of 2064	2992	cmd.exe	bcdedit.exe
PID 3068 wrote to memory of 2776	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2776	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2776	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 2776	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2776 wrote to memory of 756	2776	cmd.exe	wimlib.EXE
PID 2776 wrote to memory of 756	2776	cmd.exe	wimlib.EXE
PID 2776 wrote to memory of 756	2776	cmd.exe	wimlib.EXE
PID 2776 wrote to memory of 756	2776	cmd.exe	wimlib.EXE
PID 3068 wrote to memory of 948	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 948	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 948	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 948	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 948 wrote to memory of 2128	948	cmd.exe	Qiibiosinfo.exe
PID 948 wrote to memory of 2128	948	cmd.exe	Qiibiosinfo.exe
PID 948 wrote to memory of 2128	948	cmd.exe	Qiibiosinfo.exe
PID 948 wrote to memory of 2128	948	cmd.exe	Qiibiosinfo.exe
PID 3068 wrote to memory of 840	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 840	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 840	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3068 wrote to memory of 840	3068	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 840 wrote to memory of 556	840	cmd.exe	Qiibiosinfo.exe
PID 840 wrote to memory of 556	840	cmd.exe	Qiibiosinfo.exe
PID 840 wrote to memory of 556	840	cmd.exe	Qiibiosinfo.exe
PID 840 wrote to memory of 556	840	cmd.exe	Qiibiosinfo.exe

C:\Users\Admin\AppData\Local\Temp\4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
"C:\Users\Admin\AppData\Local\Temp\4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Windows\sysnative\bcdedit.exe /enum {current}
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\system32\bcdedit.exe
C:\Windows\sysnative\bcdedit.exe /enum {current}
3⤵
- Modifies boot configuration data using bcdedit
PID:2452

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Windows\sysnative\bcdedit.exe /enum {current}
4⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\bcdedit.exe
C:\Windows\sysnative\bcdedit.exe /enum {current}
5⤵
- Modifies boot configuration data using bcdedit
PID:2332

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Windows\sysnative\bcdedit.exe /enum {current}
4⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\bcdedit.exe
C:\Windows\sysnative\bcdedit.exe /enum {current}
5⤵
- Modifies boot configuration data using bcdedit
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismdcrgc\
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismdcrgc\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
PID:2308

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
2⤵
- Loads dropped DLL
PID:2096

C:\Temp\UjyQii\QiiPECMD.exe
C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Loads dropped DLL
PID:868

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Loads dropped DLL
PID:1564

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Loads dropped DLL
PID:1544

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Loads dropped DLL
PID:3040

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
2⤵
- Loads dropped DLL
PID:2896

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\UjyQii\QiiImagex.EXE
Filesize
845KB

MD5
dcd13e8935cd5a235d6d3124fc9d8bc2

SHA1
41426a7d1c5932ac6853186e41797f94c043e7dc

SHA256
3d68842a89267810e4fbfa73e57d4a6519ae3269190c066cfab3e7650542465e

SHA512
c06569b6080161d26776cda16aadcb5b8c5038b1809d57bc5c6c016710736368ab4f658c6d7b71fbfafb945b045d69c5f89592b537a048458622e521da1f7c5e

Download Submit
C:\Temp\UjyQii\dism.wim
Filesize
3.1MB

MD5
cd6a67b7fa1958f0b6879009f38c3e3b

SHA1
f92f534dd6c7ba3d9edd7bec292d0a489afbe50c

SHA256
14e348aa7e8dcd4094993102a09e8309ea8f327d57febd73034b19f792cf6090

SHA512
225fc4d92976cc1236db77215a36a3a1977ac396c8146cd54a5984569483d3c96d6f345c07d961b5318d4d1dd85b1a7096cd091b2e5bce3a5cdbb774604109b8

Download Submit
C:\Temp\UjyQii\dismdcrgc\X64\dism.exe
Filesize
329KB

MD5
f350e791f2ed95fb4a6fc50a0ea32b37

SHA1
472a3de24cd10913354798d51082d20fb166b2b1

SHA256
3c63ddb1e3f10ad6aa96ad7e35a080495e32cd748dbdbc0460f3f93beeee6b7f

SHA512
4b50aa71bec1aea7e18bd6b4c930942f513e2e8f55e7de217e5f7e19e0363f8f202dd75c9efb4a9b3f5046a90315a99614595ca13fffc4b3c80f9e2a44f5f51b

Download Submit
C:\Temp\UjyQii\libwim-15.dll
Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Temp\UjyQii\ujysystem.exe
Filesize
833KB

MD5
dec5ca26876a565fc8385e18cdf7146f

SHA1
44964b076be3c1f1d3b8f57553791fb7d9cf71dd

SHA256
42a2c19262795cccc5dcb3c5ffd17bb2b07f5da5a8fda14f965deb9419140a2a

SHA512
efe166e3b481a1bac027c386853e7e6ab9e531e981e2bf74b513d1a81c17cafe75c0850211e72beacd3f514961b072e83ba17a886d7700a45e6352a84c50068e

Download Submit
\Temp\UjyQii\QiiPECMD.exe
Filesize
1.3MB

MD5
99007d06809fc6e424490f02657cb1d6

SHA1
7bfb1077c82a08509360fbcf3e65b4799504d332

SHA256
4f31fe97180c161aacfa5b1900ceeec2073a20ebe6b33c0a2ae807cb09441565

SHA512
5beb2bba290aab47fb4cc1a65ea12e8a0efb4965a25f0700db7f6de2cbd175ce6cb40cbe713d5bc551c484e8030da85b946e625200fcae0841000ea9ea153958

Download Submit
\Temp\UjyQii\Qiibiosinfo.exe
Filesize
163KB

MD5
16d6dffcdedb07cc5d904418116f7342

SHA1
2d2a4eae6812509278d0972dcf1d2bee92d4f862

SHA256
9b4f7ffa79f80af1bc81f5996562894f346ff20231af54082d68a75b0c3b9a40

SHA512
f0ffe189894a8468083349c49dd38f8ad543b29cb504f2a048d75b95971c6133ba3a75ed717c83ad26d98fbf238c7681ec2f9a7928840474175497f847c46749

Download Submit
\Temp\UjyQii\cxdir.exe
Filesize
42KB

MD5
2aa80509e9840822a3b6799a356efe90

SHA1
3dc558c97b209c91b7b45f90624f80c05c9094d0

SHA256
301ccb6e3f8a5118d7882963715e215140f0b7528039cab3fcd7ace02a48da0d

SHA512
9d4e5f95ef444424857e55c345d56ac679005a0bdfddf59fb96f078a5913e7be5ba07cd16993878815dc9d2364d909f20d8b7d65b09bd2ec687622f5812c6bc2

Download Submit
\Temp\UjyQii\wimlib.EXE
Filesize
135KB

MD5
b31b05e78bc60474cc511974b8ebd63e

SHA1
48de3c65d7c5544b78322d32aaef8492c889a5f5

SHA256
102e24cb2e77b8354658924be1e9b2597cee215409539dfc2e19f14d3cd2b1a1

SHA512
0f25754551de7168494f78d1e3264a007177591d767662b1dfda80b4156cfedf2e9ea2f437e0b212197e9509b6cde06e2c80f550db42a321347eaf1a973bed32

Download Submit
memory/556-166-0x000000013FF40000-0x0000000141711000-memory.dmp

Filesize
23.8MB

Download
memory/756-140-0x000007FEF69A0000-0x000007FEF6A8A000-memory.dmp

Filesize
936KB

Download
memory/756-139-0x000000013F590000-0x000000013F5BA000-memory.dmp

Filesize
168KB

Download
memory/948-163-0x0000000002460000-0x0000000003C31000-memory.dmp

Filesize
23.8MB

Download
memory/1860-169-0x000000013FB20000-0x00000001412F1000-memory.dmp

Filesize
23.8MB

Download
memory/2128-162-0x000000013F9D0000-0x00000001411A1000-memory.dmp

Filesize
23.8MB

Download
memory/2196-177-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2228-180-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-183-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2596-15-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2596-18-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2596-13-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2612-9-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2612-6-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2612-4-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/2712-186-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-191-0x000007FEF6350000-0x000007FEF643A000-memory.dmp

Filesize
936KB

Download
memory/2824-190-0x000000013F570000-0x000000013F59A000-memory.dmp

Filesize
168KB

Download
memory/3068-0-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/3068-5-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/3068-14-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/3068-192-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/3068-193-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download