64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e

Analysis

max time kernel
141s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
Size

15.7MB
MD5

b629f202d6733d02b556ecd88c8516e0
SHA1

0c2bd82f8d86c433ea0c94c9bd0588cdf530952e
SHA256

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e
SHA512

61d00811787b1a5d2c0402a631058b175fd76a00676136d54d85b38f2f943ccf8986d89bd3fbcd38de38c4451dac01c1634b74bf3173a2fadbfd59438ea02117
SSDEEP

393216:TpQDbvtSyNQadsI9Tq6yI1MAaJJGfNE4iuvYi1c:TUjtSyCaKWqhdQlEOd1c

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 13 IoCs

Processes:

ujysystem.exeujysystem.exewimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.execxdir.execxdir.execxdir.execxdir.exewimlib.EXE

pid	process
4100	ujysystem.exe
6056	ujysystem.exe
4572	wimlib.EXE
3176	Qiibiosinfo.exe
5100	Qiibiosinfo.exe
2340	Qiibiosinfo.exe
4728	Qiibiosinfo.exe
6016	QiiPECMD.exe
4636	cxdir.exe
2740	cxdir.exe
5828	cxdir.exe
4128	cxdir.exe
2560	wimlib.EXE

Loads dropped DLL 2 IoCs

Processes:

wimlib.EXEwimlib.EXE

pid process

4572 wimlib.EXE
2560 wimlib.EXE

pid	process
4572	wimlib.EXE
2560	wimlib.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Temp\UjyQii\Qiibiosinfo.exe	upx
behavioral2/memory/3176-168-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx
behavioral2/memory/3176-169-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx
behavioral2/memory/5100-195-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx
behavioral2/memory/5100-194-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx
behavioral2/memory/2340-197-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx
behavioral2/memory/4728-199-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp	upx

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exeQiiPECMD.exe

description	ioc	process
File opened (read-only)	\??\Y:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\G:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\O:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\P:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\V:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\W:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\F:	QiiPECMD.exe
File opened (read-only)	\??\I:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\N:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\R:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\Z:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\A:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\Q:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\X:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\J:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\K:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\L:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\M:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\S:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\B:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\E:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\H:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\T:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
File opened (read-only)	\??\U:	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

cxdir.execxdir.execxdir.execxdir.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe
File opened for modification	\??\PhysicalDrive0	cxdir.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

wimlib.EXEQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiibiosinfo.exeQiiPECMD.exewimlib.EXE

description	pid	process
Token: SeBackupPrivilege	4572	wimlib.EXE
Token: SeSecurityPrivilege	4572	wimlib.EXE
Token: SeRestorePrivilege	4572	wimlib.EXE
Token: SeSecurityPrivilege	4572	wimlib.EXE
Token: SeTakeOwnershipPrivilege	4572	wimlib.EXE
Token: SeManageVolumePrivilege	4572	wimlib.EXE
Token: SeSystemEnvironmentPrivilege	3176	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	5100	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	2340	Qiibiosinfo.exe
Token: SeSystemEnvironmentPrivilege	4728	Qiibiosinfo.exe
Token: SeBackupPrivilege	6016	QiiPECMD.exe
Token: SeRestorePrivilege	6016	QiiPECMD.exe
Token: 33	6016	QiiPECMD.exe
Token: SeIncBasePriorityPrivilege	6016	QiiPECMD.exe
Token: SeBackupPrivilege	2560	wimlib.EXE
Token: SeSecurityPrivilege	2560	wimlib.EXE
Token: SeRestorePrivilege	2560	wimlib.EXE
Token: SeSecurityPrivilege	2560	wimlib.EXE
Token: SeTakeOwnershipPrivilege	2560	wimlib.EXE
Token: SeManageVolumePrivilege	2560	wimlib.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exeujysystem.exeujysystem.exe

pid	process
2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
4100	ujysystem.exe
4100	ujysystem.exe
6056	ujysystem.exe
6056	ujysystem.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2720 wrote to memory of 4032	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4032	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 4032 wrote to memory of 4100	4032	cmd.exe	ujysystem.exe
PID 4032 wrote to memory of 4100	4032	cmd.exe	ujysystem.exe
PID 4032 wrote to memory of 4100	4032	cmd.exe	ujysystem.exe
PID 2720 wrote to memory of 3472	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 3472	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 3472 wrote to memory of 6056	3472	cmd.exe	ujysystem.exe
PID 3472 wrote to memory of 6056	3472	cmd.exe	ujysystem.exe
PID 3472 wrote to memory of 6056	3472	cmd.exe	ujysystem.exe
PID 2720 wrote to memory of 4296	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4296	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4296	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 4296 wrote to memory of 4572	4296	cmd.exe	wimlib.EXE
PID 4296 wrote to memory of 4572	4296	cmd.exe	wimlib.EXE
PID 2720 wrote to memory of 5632	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5632	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5632	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 5632 wrote to memory of 3176	5632	cmd.exe	Qiibiosinfo.exe
PID 5632 wrote to memory of 3176	5632	cmd.exe	Qiibiosinfo.exe
PID 2720 wrote to memory of 4820	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4820	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4820	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 4820 wrote to memory of 5100	4820	cmd.exe	Qiibiosinfo.exe
PID 4820 wrote to memory of 5100	4820	cmd.exe	Qiibiosinfo.exe
PID 2720 wrote to memory of 4480	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4480	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4480	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 4480 wrote to memory of 2340	4480	cmd.exe	Qiibiosinfo.exe
PID 4480 wrote to memory of 2340	4480	cmd.exe	Qiibiosinfo.exe
PID 2720 wrote to memory of 2240	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 2240	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 2240	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2240 wrote to memory of 4728	2240	cmd.exe	Qiibiosinfo.exe
PID 2240 wrote to memory of 4728	2240	cmd.exe	Qiibiosinfo.exe
PID 2720 wrote to memory of 1564	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 1564	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 1564	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 1564 wrote to memory of 6016	1564	cmd.exe	QiiPECMD.exe
PID 1564 wrote to memory of 6016	1564	cmd.exe	QiiPECMD.exe
PID 2720 wrote to memory of 5308	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5308	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5308	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 5308 wrote to memory of 4636	5308	cmd.exe	cxdir.exe
PID 5308 wrote to memory of 4636	5308	cmd.exe	cxdir.exe
PID 2720 wrote to memory of 2500	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 2500	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 2500	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2500 wrote to memory of 2740	2500	cmd.exe	cxdir.exe
PID 2500 wrote to memory of 2740	2500	cmd.exe	cxdir.exe
PID 2720 wrote to memory of 4700	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4700	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 4700	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 4700 wrote to memory of 5828	4700	cmd.exe	cxdir.exe
PID 4700 wrote to memory of 5828	4700	cmd.exe	cxdir.exe
PID 2720 wrote to memory of 1380	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 1380	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 1380	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 1380 wrote to memory of 4128	1380	cmd.exe	cxdir.exe
PID 1380 wrote to memory of 4128	1380	cmd.exe	cxdir.exe
PID 2720 wrote to memory of 5352	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5352	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 2720 wrote to memory of 5352	2720	64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe	cmd.exe
PID 5352 wrote to memory of 2560	5352	cmd.exe	wimlib.EXE

C:\Users\Admin\AppData\Local\Temp\64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe
"C:\Users\Admin\AppData\Local\Temp\64e313ea0bcfa225b77166c3dda1618dbf3747342bac3b1e9b8587c57ba9094e.exe"
1⤵
- Enumerates connected drives
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\ujysystem.exe /GetBan
2⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Temp\UjyQii\ujysystem.exe
C:\Temp\UjyQii\\ujysystem.exe /GetBan
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismkeukn\
2⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE apply "C:\Temp\UjyQii\\dism.wim" 1 C:\Temp\UjyQii\dismkeukn\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --smbios
2⤵
- Suspicious use of WriteProcessMemory
PID:5632

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --smbios
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:4480

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Temp\UjyQii\Qiibiosinfo.exe
C:\Temp\UjyQii\\Qiibiosinfo.exe --sys
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Temp\UjyQii\QiiPECMD.exe
C:\Temp\UjyQii\\QiiPECMD.exe SHOW F:-1
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:5308

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Temp\UjyQii\\cxdir.exe" -mohong
2⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Temp\UjyQii\cxdir.exe
C:\Temp\UjyQii\\cxdir.exe -mohong
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
2⤵
- Suspicious use of WriteProcessMemory
PID:5352

C:\Temp\UjyQii\wimlib.EXE
C:\Temp\UjyQii\\wimlib.EXE info "" --extract-xml C:\Temp\UjyQii\\WimlibKQD.xml
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\UjyQii\QiiImagex.EXE

Filesize
845KB

MD5
dcd13e8935cd5a235d6d3124fc9d8bc2

SHA1
41426a7d1c5932ac6853186e41797f94c043e7dc

SHA256
3d68842a89267810e4fbfa73e57d4a6519ae3269190c066cfab3e7650542465e

SHA512
c06569b6080161d26776cda16aadcb5b8c5038b1809d57bc5c6c016710736368ab4f658c6d7b71fbfafb945b045d69c5f89592b537a048458622e521da1f7c5e

Download Submit
C:\Temp\UjyQii\QiiPECMD.exe

Filesize
1.3MB

MD5
99007d06809fc6e424490f02657cb1d6

SHA1
7bfb1077c82a08509360fbcf3e65b4799504d332

SHA256
4f31fe97180c161aacfa5b1900ceeec2073a20ebe6b33c0a2ae807cb09441565

SHA512
5beb2bba290aab47fb4cc1a65ea12e8a0efb4965a25f0700db7f6de2cbd175ce6cb40cbe713d5bc551c484e8030da85b946e625200fcae0841000ea9ea153958

Download Submit
C:\Temp\UjyQii\Qiibiosinfo.exe

Filesize
163KB

MD5
16d6dffcdedb07cc5d904418116f7342

SHA1
2d2a4eae6812509278d0972dcf1d2bee92d4f862

SHA256
9b4f7ffa79f80af1bc81f5996562894f346ff20231af54082d68a75b0c3b9a40

SHA512
f0ffe189894a8468083349c49dd38f8ad543b29cb504f2a048d75b95971c6133ba3a75ed717c83ad26d98fbf238c7681ec2f9a7928840474175497f847c46749

Download Submit
C:\Temp\UjyQii\config.dll

Filesize
1KB

MD5
7251d5ad26ec22e6e531fb5ed5e37faa

SHA1
db5155e2cba60927baf6806813e9a785735b4d5d

SHA256
8b22f82c3fe6d501f87b0616a444ccf13091057c9dcde09ccccfa21b09f0a4f2

SHA512
93922a85b7bb90ab76b5f2d6f006bde995a6c6b91c699ff7d41dd8dca3d4e59187b449651ac28f147b1024d275201c099d62712cf717c0292d61b544d72e2184

Download Submit
C:\Temp\UjyQii\cxdir.exe

Filesize
42KB

MD5
2aa80509e9840822a3b6799a356efe90

SHA1
3dc558c97b209c91b7b45f90624f80c05c9094d0

SHA256
301ccb6e3f8a5118d7882963715e215140f0b7528039cab3fcd7ace02a48da0d

SHA512
9d4e5f95ef444424857e55c345d56ac679005a0bdfddf59fb96f078a5913e7be5ba07cd16993878815dc9d2364d909f20d8b7d65b09bd2ec687622f5812c6bc2

Download Submit
C:\Temp\UjyQii\dism.wim

Filesize
3.1MB

MD5
cd6a67b7fa1958f0b6879009f38c3e3b

SHA1
f92f534dd6c7ba3d9edd7bec292d0a489afbe50c

SHA256
14e348aa7e8dcd4094993102a09e8309ea8f327d57febd73034b19f792cf6090

SHA512
225fc4d92976cc1236db77215a36a3a1977ac396c8146cd54a5984569483d3c96d6f345c07d961b5318d4d1dd85b1a7096cd091b2e5bce3a5cdbb774604109b8

Download Submit
C:\Temp\UjyQii\dismkeukn\X64\dism.exe

Filesize
329KB

MD5
f350e791f2ed95fb4a6fc50a0ea32b37

SHA1
472a3de24cd10913354798d51082d20fb166b2b1

SHA256
3c63ddb1e3f10ad6aa96ad7e35a080495e32cd748dbdbc0460f3f93beeee6b7f

SHA512
4b50aa71bec1aea7e18bd6b4c930942f513e2e8f55e7de217e5f7e19e0363f8f202dd75c9efb4a9b3f5046a90315a99614595ca13fffc4b3c80f9e2a44f5f51b

Download Submit
C:\Temp\UjyQii\libwim-15.dll

Filesize
775KB

MD5
6be0d3c865f445afc1210a79e1db7ca3

SHA1
99def6bccb1a32cf022ee574d1ef11a67d34c452

SHA256
dd6e34893bdc4719f7d24a7dfb438d4f2caf048a0a2123a840249432d854626f

SHA512
a01bd43e8ba810973a884f534fcd931201423f2facfc2f5c48db9cefff0e680d8020be4bc771b22610937cf88fd2b33070d15e48ba2a07a319436dd78223869b

Download Submit
C:\Temp\UjyQii\ujysystem.exe

Filesize
833KB

MD5
dec5ca26876a565fc8385e18cdf7146f

SHA1
44964b076be3c1f1d3b8f57553791fb7d9cf71dd

SHA256
42a2c19262795cccc5dcb3c5ffd17bb2b07f5da5a8fda14f965deb9419140a2a

SHA512
efe166e3b481a1bac027c386853e7e6ab9e531e981e2bf74b513d1a81c17cafe75c0850211e72beacd3f514961b072e83ba17a886d7700a45e6352a84c50068e

Download Submit
C:\Temp\UjyQii\wimlib.EXE

Filesize
135KB

MD5
b31b05e78bc60474cc511974b8ebd63e

SHA1
48de3c65d7c5544b78322d32aaef8492c889a5f5

SHA256
102e24cb2e77b8354658924be1e9b2597cee215409539dfc2e19f14d3cd2b1a1

SHA512
0f25754551de7168494f78d1e3264a007177591d767662b1dfda80b4156cfedf2e9ea2f437e0b212197e9509b6cde06e2c80f550db42a321347eaf1a973bed32

Download Submit
memory/2340-197-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/2560-218-0x00007FF995B20000-0x00007FF995C0A000-memory.dmp

Filesize
936KB

Download
memory/2560-217-0x00007FF786810000-0x00007FF78683A000-memory.dmp

Filesize
168KB

Download
memory/2720-221-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2720-0-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2720-11-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/2720-222-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2720-18-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2720-1-0x0000000002E7E000-0x0000000002E7F000-memory.dmp

Filesize
4KB

Download
memory/2720-8-0x0000000000400000-0x0000000002E99000-memory.dmp

Filesize
42.6MB

Download
memory/2740-208-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3176-224-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/3176-168-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/3176-169-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/4100-13-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4100-9-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4100-6-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4100-7-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/4128-212-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4572-142-0x00007FF995B20000-0x00007FF995C0A000-memory.dmp

Filesize
936KB

Download
memory/4572-141-0x00007FF786810000-0x00007FF78683A000-memory.dmp

Filesize
168KB

Download
memory/4636-206-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4728-199-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/5100-194-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/5100-195-0x00007FF6AC070000-0x00007FF6AD841000-memory.dmp

Filesize
23.8MB

Download
memory/5828-210-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/6056-21-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/6056-19-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download
memory/6056-17-0x0000000000400000-0x0000000000630000-memory.dmp

Filesize
2.2MB

Download