4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452

Analysis

max time kernel
142s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
Size

15.7MB
MD5

c7c604664d5b11906b87c0fc59acc434
SHA1

394b3d8cb03da0495d4a10c5b48217aae89ed6f2
SHA256

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452
SHA512

3cce5bac053cc2215a79376ddd83fa8ee08c54602461376f14a7ebb60d27e285bcab0622c5a26d885f9b900c4603eb7c859c169646297583f8a9a4d5dc8ac41f
SSDEEP

393216:TpQDbvtSyNQadsI9Tq6yI1MAaJJGfNE4iuvYi1S:TUjtSyCaKWqhdQlEOd1S

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 13 IoCs

Processes:

ujysystem.exeujysystem.exewimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.execxdir.execxdir.execxdir.execxdir.exewimlib.EXEwimlib.EXE

pid	process
4428	ujysystem.exe
5092	ujysystem.exe
4612	wimlib.EXE
4856	Qiibiosinfo.exe
4772	Qiibiosinfo.exe
956	Qiibiosinfo.exe
4568	QiiPECMD.exe
5084	cxdir.exe
1380	cxdir.exe
4560	cxdir.exe
3264	cxdir.exe
4940	wimlib.EXE
4116	wimlib.EXE

Loads dropped DLL 3 IoCs

Processes:

wimlib.EXEwimlib.EXEwimlib.EXE

pid process

4612 wimlib.EXE
4940 wimlib.EXE
4116 wimlib.EXE

pid	process
4612	wimlib.EXE
4940	wimlib.EXE
4116	wimlib.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Temp\UjyQii\Qiibiosinfo.exe	upx
behavioral2/memory/4856-160-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx
behavioral2/memory/4856-159-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx
behavioral2/memory/4772-163-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx
behavioral2/memory/4772-162-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx
behavioral2/memory/956-165-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx
behavioral2/memory/4772-191-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exeQiiPECMD.exe

description	ioc	process
File opened (read-only)	\??\L:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\N:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\T:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\W:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\X:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Y:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\F:	QiiPECMD.exe
File opened (read-only)	\??\V:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\B:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\E:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\G:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\J:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\O:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\R:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\U:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\I:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Q:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\S:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\A:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\H:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\K:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\M:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\P:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
File opened (read-only)	\??\Z:	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

cxdir.execxdir.execxdir.execxdir.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

wimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.exewimlib.EXEwimlib.EXE

description	pid	process
Token: SeBackupPrivilege	4612	wimlib.EXE
Token: SeSecurityPrivilege	4612	wimlib.EXE
Token: SeRestorePrivilege	4612	wimlib.EXE
Token: SeSecurityPrivilege	4612	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4612	wimlib.EXE
Token: SeManageVolumePrivilege	4612	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	4856	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	4772	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	956	Qiibiosinfo.exe
Token: SeBackupPrivilege	4568	QiiPECMD.exe
Token: SeRestorePrivilege	4568	QiiPECMD.exe
Token: 33	4568	QiiPECMD.exe
Token: SeIncBasePriorityPrivilege	4568	QiiPECMD.exe
Token: SeBackupPrivilege	4940	wimlib.EXE
Token: SeSecurityPrivilege	4940	wimlib.EXE
Token: SeRestorePrivilege	4940	wimlib.EXE
Token: SeSecurityPrivilege	4940	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4940	wimlib.EXE
Token: SeManageVolumePrivilege	4940	wimlib.EXE
Token: SeBackupPrivilege	4116	wimlib.EXE
Token: SeSecurityPrivilege	4116	wimlib.EXE
Token: SeRestorePrivilege	4116	wimlib.EXE
Token: SeSecurityPrivilege	4116	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4116	wimlib.EXE
Token: SeManageVolumePrivilege	4116	wimlib.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exeujysystem.exeujysystem.exe

pid	process
2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
4428	ujysystem.exe
4428	ujysystem.exe
5092	ujysystem.exe
5092	ujysystem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2200 wrote to memory of 1084	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 1084	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 1084 wrote to memory of 4428	1084	cmd.exe	ujysystem.exe
PID 1084 wrote to memory of 4428	1084	cmd.exe	ujysystem.exe
PID 1084 wrote to memory of 4428	1084	cmd.exe	ujysystem.exe
PID 2200 wrote to memory of 1708	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 1708	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 1708 wrote to memory of 5092	1708	cmd.exe	ujysystem.exe
PID 1708 wrote to memory of 5092	1708	cmd.exe	ujysystem.exe
PID 1708 wrote to memory of 5092	1708	cmd.exe	ujysystem.exe
PID 2200 wrote to memory of 2388	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2388	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2388	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2388 wrote to memory of 4612	2388	cmd.exe	wimlib.EXE
PID 2388 wrote to memory of 4612	2388	cmd.exe	wimlib.EXE
PID 2200 wrote to memory of 2216	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2216	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2216	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2216 wrote to memory of 4856	2216	cmd.exe	Qiibiosinfo.exe
PID 2216 wrote to memory of 4856	2216	cmd.exe	Qiibiosinfo.exe
PID 2200 wrote to memory of 5020	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 5020	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 5020	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 5020 wrote to memory of 4772	5020	cmd.exe	Qiibiosinfo.exe
PID 5020 wrote to memory of 4772	5020	cmd.exe	Qiibiosinfo.exe
PID 2200 wrote to memory of 3580	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 3580	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 3580	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3580 wrote to memory of 956	3580	cmd.exe	Qiibiosinfo.exe
PID 3580 wrote to memory of 956	3580	cmd.exe	Qiibiosinfo.exe
PID 2200 wrote to memory of 2620	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2620	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2620	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2620 wrote to memory of 4568	2620	cmd.exe	QiiPECMD.exe
PID 2620 wrote to memory of 4568	2620	cmd.exe	QiiPECMD.exe
PID 2200 wrote to memory of 4824	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4824	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4824	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 4824 wrote to memory of 5084	4824	cmd.exe	cxdir.exe
PID 4824 wrote to memory of 5084	4824	cmd.exe	cxdir.exe
PID 2200 wrote to memory of 4140	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4140	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4140	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 4140 wrote to memory of 1380	4140	cmd.exe	cxdir.exe
PID 4140 wrote to memory of 1380	4140	cmd.exe	cxdir.exe
PID 2200 wrote to memory of 2644	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2644	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 2644	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2644 wrote to memory of 4560	2644	cmd.exe	cxdir.exe
PID 2644 wrote to memory of 4560	2644	cmd.exe	cxdir.exe
PID 2200 wrote to memory of 3572	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 3572	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 3572	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 3572 wrote to memory of 3264	3572	cmd.exe	cxdir.exe
PID 3572 wrote to memory of 3264	3572	cmd.exe	cxdir.exe
PID 2200 wrote to memory of 4576	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4576	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4576	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 4576 wrote to memory of 4940	4576	cmd.exe	wimlib.EXE
PID 4576 wrote to memory of 4940	4576	cmd.exe	wimlib.EXE
PID 2200 wrote to memory of 4120	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4120	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 2200 wrote to memory of 4120	2200	4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe	cmd.exe
PID 4120 wrote to memory of 4116	4120	cmd.exe	wimlib.EXE

C:\Users\Admin\AppData\Local\Temp\4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe
"C:\Users\Admin\AppData\Local\Temp\4b262578a96de8cc127711056ae5b214493586e128bb2368007f2f416d0de452.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismcowak\
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismcowak\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Temp\UjyQii\QiiPECMD.exe
C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3264

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
2⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "C:\Recovery\WindowsRE\Winre.wim" --header
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\UjyQii\QiiImagex.EXE
Filesize
845KB

MD5
dcd13e8935cd5a235d6d3124fc9d8bc2

SHA1
41426a7d1c5932ac6853186e41797f94c043e7dc

SHA256
3d68842a89267810e4fbfa73e57d4a6519ae3269190c066cfab3e7650542465e

SHA512
c06569b6080161d26776cda16aadcb5b8c5038b1809d57bc5c6c016710736368ab4f658c6d7b71fbfafb945b045d69c5f89592b537a048458622e521da1f7c5e

Download Submit
C:\Temp\UjyQii\QiiPECMD.exe
Filesize
1.3MB

MD5
99007d06809fc6e424490f02657cb1d6

SHA1
7bfb1077c82a08509360fbcf3e65b4799504d332

SHA256
4f31fe97180c161aacfa5b1900ceeec2073a20ebe6b33c0a2ae807cb09441565

SHA512
5beb2bba290aab47fb4cc1a65ea12e8a0efb4965a25f0700db7f6de2cbd175ce6cb40cbe713d5bc551c484e8030da85b946e625200fcae0841000ea9ea153958

Download Submit
C:\Temp\UjyQii\Qiibiosinfo.exe
Filesize
163KB

MD5
16d6dffcdedb07cc5d904418116f7342

SHA1
2d2a4eae6812509278d0972dcf1d2bee92d4f862

SHA256
9b4f7ffa79f80af1bc81f5996562894f346ff20231af54082d68a75b0c3b9a40

SHA512
f0ffe189894a8468083349c49dd38f8ad543b29cb504f2a048d75b95971c6133ba3a75ed717c83ad26d98fbf238c7681ec2f9a7928840474175497f847c46749

Download Submit
C:\Temp\UjyQii\cxdir.exe
Filesize
42KB

MD5
2aa80509e9840822a3b6799a356efe90

SHA1
3dc558c97b209c91b7b45f90624f80c05c9094d0

SHA256
301ccb6e3f8a5118d7882963715e215140f0b7528039cab3fcd7ace02a48da0d

SHA512
9d4e5f95ef444424857e55c345d56ac679005a0bdfddf59fb96f078a5913e7be5ba07cd16993878815dc9d2364d909f20d8b7d65b09bd2ec687622f5812c6bc2

Download Submit
C:\Temp\UjyQii\dism.wim
Filesize
3.1MB

MD5
cd6a67b7fa1958f0b6879009f38c3e3b

SHA1
f92f534dd6c7ba3d9edd7bec292d0a489afbe50c

SHA256
14e348aa7e8dcd4094993102a09e8309ea8f327d57febd73034b19f792cf6090

SHA512
225fc4d92976cc1236db77215a36a3a1977ac396c8146cd54a5984569483d3c96d6f345c07d961b5318d4d1dd85b1a7096cd091b2e5bce3a5cdbb774604109b8

Download Submit
C:\Temp\UjyQii\dismcowak\X64\dism.exe
Filesize
329KB

MD5
f350e791f2ed95fb4a6fc50a0ea32b37

SHA1
472a3de24cd10913354798d51082d20fb166b2b1

SHA256
3c63ddb1e3f10ad6aa96ad7e35a080495e32cd748dbdbc0460f3f93beeee6b7f

SHA512
4b50aa71bec1aea7e18bd6b4c930942f513e2e8f55e7de217e5f7e19e0363f8f202dd75c9efb4a9b3f5046a90315a99614595ca13fffc4b3c80f9e2a44f5f51b

Download Submit
C:\Temp\UjyQii\libwim-15.dll
Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Temp\UjyQii\ujysystem.exe
Filesize
833KB

MD5
dec5ca26876a565fc8385e18cdf7146f

SHA1
44964b076be3c1f1d3b8f57553791fb7d9cf71dd

SHA256
42a2c19262795cccc5dcb3c5ffd17bb2b07f5da5a8fda14f965deb9419140a2a

SHA512
efe166e3b481a1bac027c386853e7e6ab9e531e981e2bf74b513d1a81c17cafe75c0850211e72beacd3f514961b072e83ba17a886d7700a45e6352a84c50068e

Download Submit
C:\Temp\UjyQii\wimlib.EXE
Filesize
135KB

MD5
b31b05e78bc60474cc511974b8ebd63e

SHA1
48de3c65d7c5544b78322d32aaef8492c889a5f5

SHA256
102e24cb2e77b8354658924be1e9b2597cee215409539dfc2e19f14d3cd2b1a1

SHA512
0f25754551de7168494f78d1e3264a007177591d767662b1dfda80b4156cfedf2e9ea2f437e0b212197e9509b6cde06e2c80f550db42a321347eaf1a973bed32

Download Submit
memory/956-165-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/1380-174-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2200-18-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2200-8-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2200-188-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2200-0-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2200-183-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2200-11-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/2200-1-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/3264-178-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4116-187-0x00007FF801660000-0x00007FF80174A000-memory.dmp

Filesize
936KB

Download
memory/4116-186-0x00007FF6AD9B0000-0x00007FF6AD9DA000-memory.dmp

Filesize
168KB

Download
memory/4428-7-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4428-6-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4428-13-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4428-9-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4560-176-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4612-143-0x00007FF801660000-0x00007FF80174A000-memory.dmp

Filesize
936KB

Download
memory/4612-142-0x00007FF6AD9B0000-0x00007FF6AD9DA000-memory.dmp

Filesize
168KB

Download
memory/4772-191-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4772-162-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4772-163-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4856-159-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4856-160-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4856-190-0x00007FF6ADD20000-0x00007FF6AF4F1000-memory.dmp

Filesize
23.8MB

Download
memory/4940-182-0x00007FF801660000-0x00007FF80174A000-memory.dmp

Filesize
936KB

Download
memory/4940-181-0x00007FF6AD9B0000-0x00007FF6AD9DA000-memory.dmp

Filesize
168KB

Download
memory/5084-172-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5092-22-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/5092-17-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/5092-19-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download