f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
Size

11.9MB
MD5

5202f3062e669e9d6c0a2d304cc8fb04
SHA1

6a3007148ceb70ddae83111d28c40d9afe76e432
SHA256

f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411
SHA512

4e77e66a9337422c946078a5aaaba8ebe683bf9454846014cb9ae8baa457b4e4fe114ef670d991bbaf2d73a8c26e361ee7dc7a7b96e0b01735213cdf6aff762c
SSDEEP

196608:w8PikyOCON0CzbZ83B52q1NGHMBMCAmzDxHvlYdCIetOl27wEMShsx:XPiQXbZ8Z1NGNCfzDxD50ojfhsx

Score

9^/10

evasion upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe

Executes dropped EXE 2 IoCs

pid	Process
3320	Runner.exe
4368	binding.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine	Runner.exe

Loads dropped DLL 7 IoCs

pid	Process
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3320-147-0x0000000008DF0000-0x0000000009114000-memory.dmp	upx
behavioral2/files/0x0005000000022e34-146.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Ver = "eb066ede"	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\Version	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\0\win32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8C2B8F-3797-442E-AE16-FF888A9D3252}\TypeLib	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\Control\	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\MyMacro\\plugin"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID\ = "{33414471-126E-4FC8-B430-1C6143484AA9}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\HELPDIR	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\plfl_soft	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\ = "QMPlugin.Sys"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\TypeLib\ = "{BD281B12-9200-491F-B726-7DF20DEEE228}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\0	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.Sys"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MyMacro\\plugin\\PLFL_SOFT.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\TypeLib	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8C2B8F-3797-442E-AE16-FF888A9D3252}\TypeLib\ = "{BD281B12-9200-491F-B726-7DF20DEEE228}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\plfl_soft\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\ProgID\ = "plfl_soft"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8C2B8F-3797-442E-AE16-FF888A9D3252}\ = "Æ®ÁãÍøÂçÑéÖ¤ÏµÍ³Æì½¢COM½Ó¿Ú"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC8C2B8F-3797-442E-AE16-FF888A9D3252}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\plfl_soft\CLSID\ = "{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\FLAGS\ = "0"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\Version\ = "1.0"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD281B12-9200-491F-B726-7DF20DEEE228}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\MyMacro\\plugin\\PLFL_SOFT.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\Control	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F98BE8A-44E4-4A1B-9E8F-E58558A82980}\InprocServer32\ThreadingModel = "Apartment"	Runner.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2264	PING.EXE
3212	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3320	Runner.exe
3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
4368	binding.exe
4368	binding.exe
4368	binding.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 2264	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	84
PID 3236 wrote to memory of 2264	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	84
PID 3236 wrote to memory of 2264	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	84
PID 3236 wrote to memory of 3320	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	86
PID 3236 wrote to memory of 3320	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	86
PID 3236 wrote to memory of 3320	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	86
PID 3236 wrote to memory of 3212	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	89
PID 3236 wrote to memory of 3212	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	89
PID 3236 wrote to memory of 3212	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	89
PID 3236 wrote to memory of 4368	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	97
PID 3236 wrote to memory of 4368	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	97
PID 3236 wrote to memory of 4368	3236	f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe	97

C:\Users\Admin\AppData\Local\Temp\f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe
"C:\Users\Admin\AppData\Local\Temp\f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:2264
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key dl9T_w7sKSm_ --product "C:\Users\Admin\AppData\Local\Temp\f11770d8e1fb6ab7f510bf64fcfa444deb666b4205db6cbdc2536ea451549411.exe" --runner_md5 Rjg4N0Q0MjY2MkI0RUM3RTU3N0VBOTI0RUVDOEM3ODcA --version 2014.06.19549
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3320
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" www.baidu.com -n 2
  2⤵
  - Runs ping.exe
  PID:3212
- C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
  C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\boost_interprocess_qm\q7FRFXFvIC6L

Filesize
234KB

MD5
2e073d246a6eb0fc735b98ba6b591e07

SHA1
7dd844ec596da92a164ae32b19d4687f057504a4

SHA256
7913dd83807c12e985020dd2fd6f2c4fb79004d60ae567fdf82dd21910f625ca

SHA512
d8e88ded66eb89ebc8efd64893372c200f315685cc7a3f05322786e5e7a0f5bf0df6ee0dcd71047c68d227f3dabb54674980812b2492de8f99d5ab20d85f60c2

Download Submit
C:\ProgramData\boost_interprocess_qm\yz_Z1IRGbsW

Filesize
258B

MD5
6f18917523645b6940cf172ac502e12f

SHA1
d3d21521c4291a323579cf59723a979ea321010a

SHA256
8cc6a8555707b673c3412573a7f11a73b5d504f3e43b5e1dd8a845024d881e01

SHA512
c73c2725c3a18e81d2fbfbc1ced377dfcfacbf8daf7a53c75d354cc00609f0c8d5dcf4ab9eb242260067d2a2fe27009f72dc4f3f07bc483ec8962b24cfdf0c04

Download Submit
C:\ProgramData\boost_interprocess_qm\yz_Z1IRGbsWu

Filesize
256KB

MD5
0ff11bc67236374cd9fad53c7eb51ce9

SHA1
3568d8e4c95151b77d1b5f878e5dfcced9585a60

SHA256
3922573ca3ad718c055fee5dcabe2cadeaf5ba5fda43766549c6cfde305797b6

SHA512
dcecff49d298972c314ef814a6d7eff6a90c494d4646fb6851c3b0df45e4ca10b299f9a03716de369cfb16e54b1263464d640ed7efc919c727cdb185695b13b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240606.log

Filesize
324B

MD5
e54fddf1fc18a0907fd6feb2a5b2e5b0

SHA1
04dfd00718874a40d4eca683c503ef4e242ad25d

SHA256
65a383d1cdd784dde4120bbb0e122e111cc8a53259256581ef48e71f4c843096

SHA512
6c41c76d57c692727a7019d4e2398114d796a4b26352c6952a754759283e347de9be65b10ec6732f60546d86b3185d46afdc7d8f74a207b819b01bb3cd7557ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\mac33A3.tmp

Filesize
1KB

MD5
fc7d1e405b66794c580b0f391bb8125e

SHA1
b437e41f32ec50129feb3f2dc235e10b3fe0e9bd

SHA256
ceb9084a8dc514c2aad380c7f2734fe7cdcc76fa47ed6d2fa09334a3b988d7da

SHA512
5c6f74bcfda0cd000b7836499cd5180cb9bbcfec2127b2576d629bd329992113d04abe42e2dd9ca5617f2574224411ff68b8105606e283350ab63704ee16b3a7

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
5.6MB

MD5
47c89e2388113138930336f56bfebe96

SHA1
e2db389150cacc918fc82c9572369263a169194c

SHA256
58decc31a05cd101079b26b7837af07fde1f78bccfc100d381547c59d8432cb4

SHA512
e45f1542e725b745859e103745112ab2212917ecabff3d3d0f670d9a6c683b2cbe1a2eaa87b3b831f30f47de66062aad496ac4ee0d62157cdf1add44cfcf5930

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
5.9MB

MD5
7799c0c2f5038f0886e1f7829a3ef603

SHA1
1fc27e221f30efa13bf45b386734e2388a4f2752

SHA256
f6822d9e9df8d1d8ecb8092ea713ab9bec54b16173b64cad39f1d9c61f42e5d4

SHA512
aaa408d27d3c53858bd5dea5ea4c10c5e03cbeded542398fb5bf4b7b51cf28a2fb4de25541ff403123bf80b59bd8a4cefab48e5b3197b78d2b3bbbcc2fb2f33c

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
6.9MB

MD5
a0eaf6b7366dae7dad2d495a306e76b0

SHA1
e26285840525a7327b45e2a8bc8cda8b6ee59362

SHA256
005bc5a69f774c5a5ef26499cf30702d7bf4916199e54799fd13239a22264e39

SHA512
550a1d05d414b0ce4312498244d2ebf2f4cdc0cce327772ea9a88523bf49d8885e850a4791299fcc867b01566ab70e8cb8f7dc77bd0e5e67750a76fb9570f708

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exe

Filesize
1.7MB

MD5
6abd36f782e36bcf9e90a3230d6ca97f

SHA1
3c3d5760a8db6c66f4c5b8c31cbf2613a8a7d6b9

SHA256
13652dae4ec58de8a20da51c7455f34144554b91d25ac1c72bec9cbe361ca752

SHA512
05463e3c0028e8e39787465e4529ad22c9c64c2a29701c4673f983b50852573aa3c197c2307fdf58d9ab514cca06f058cc17a8b53d28e76957792be7ac1acce6

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
64KB

MD5
e54b7e3ba6c2fd0d79f90e6ba3c019de

SHA1
bce9232085090de1b24f017730b7eaf4e7bff68c

SHA256
a553d8637dbe0645743eb5f76adf40678cf2fa1e01754f70191e729b7625949c

SHA512
fe7777147afea2e90cffa6ba44d7bd81ef036cd3dd6f771a1929811039b7ca4054be598bd5b4df704b5724bb654b1135d53cc617355ff2d3d70708560f549b75

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\plugin\PLFL_SOFT.DLL

Filesize
3.1MB

MD5
9694cb42f9acae15be0a7013974778dd

SHA1
bf50ae711031af55cea8b35000f1439667b1e4ca

SHA256
64cdf7d82be2f0759a7c90d42c796719be4e3f5f785eeec439a3edde6a70ad9a

SHA512
66046dd82f1fcfdfdd336e362753a8db2172bfcee92702824effc1fadcf0005bdd134271c33e55536fbf50449864428de56f93534994c953965cb232881da1ec

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\plugin\SYS.DLL

Filesize
32KB

MD5
9e540d9b62d97b7ec9761ab519db6a5c

SHA1
edbd32c2cd7632b0f8e9353d1c6ec3e60c29e370

SHA256
cf341c3dc61b3c289b6fbe4b08a5e2c40c8571437f55575453f1f19f120c605e

SHA512
a8e21eefa172a6ddfb112fef73aaa46a65d2dc85413dffaa43e9bc6791115d2ac630b6772ed8a5655617a21e5f58c72efe89ebefdc7b5d18faaff5493c032a5b

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\plugin\SYS.ini

Filesize
1KB

MD5
09c6b26d1e0ff380321f586473d81098

SHA1
261ba0c9c3ddf3c9e8715ead3628212d2859bcba

SHA256
bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f

SHA512
7700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
317KB

MD5
0c6fe138b1ea6a26dead585b6128bdab

SHA1
20d3f819698b12f36fd1f3e63bcd5621b574fd47

SHA256
372085c07df86bbd6b7588f1859b7fab8440a3ccedf643067779b6b9c6a67d93

SHA512
7d494cbaac76bfb8160088adf9fb6f3313ee56d3bb0db9e5c330c185246818d9ef67e45ee5877842572a50145810fe0748eaeb56c2359859dc8f30b80880b0d8

Download Submit
memory/3236-193-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-210-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-218-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-216-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-185-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-214-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-189-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-190-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-212-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-208-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-0-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-206-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-195-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-204-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-1-0x0000000000B11000-0x0000000000C45000-memory.dmp

Filesize
1.2MB

Download
memory/3236-200-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3236-202-0x0000000000B10000-0x0000000001258000-memory.dmp

Filesize
7.3MB

Download
memory/3320-147-0x0000000008DF0000-0x0000000009114000-memory.dmp

Filesize
3.1MB

Download
memory/3320-196-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-211-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-192-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-194-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-207-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-191-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-209-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-219-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-203-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-205-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-213-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-188-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-215-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-65-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-217-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-73-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download
memory/3320-201-0x0000000000400000-0x0000000000B3E000-memory.dmp

Filesize
7.2MB

Download