c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe
Size

2.7MB
MD5

8b438636827ba494ef4bc1d42294b0da
SHA1

bbb1d7d2ddbf5366d943d54d190e91bde91d2633
SHA256

c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b
SHA512

5b0942b7fbc32d94eb042244d188611c15ef2bdb1d0d312e0231c50bb4b1d0feb27baa474070d2cd377cf2673de1ae7edef8f343c3c81533ca4a48c13666c5ef
SSDEEP

49152:Vv64Na95xIgrUv1L6FmZunxVg5tQ7aERIk5pnB7V4:VvrMx5ix8mZun/g56hs

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1632	regsvr32.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2148-0-0x0000000000400000-0x00000000006E1000-memory.dmp	autoit_exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}\ = "_MyPluginName"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.GetHardDiskInfo	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FC85F66-4D8A-4C1B-BAD8-F084001BED0B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E896F-8273-4AA6-A2FC-6D2464A9704E}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.MyPluginName\Clsid\ = "{D6D73CA2-6336-45C7-8C17-DC912AD6A6F8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{99515B73-69C3-42BA-B896-CB23DA1BFD35}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qsgj11c.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\ = "_Getaddress"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\ = "_GetHardDiskInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.GetCPUID\ = "QSGJ.GetCPUID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.GetHardDiskInfo\ = "QSGJ.GetHardDiskInfo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D6D73CA2-6336-45C7-8C17-DC912AD6A6F8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.GetCPUID\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46D9E4E8-F49E-4A9F-9FF4-9F064C279A02}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FC85F66-4D8A-4C1B-BAD8-F084001BED0B}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.Getaddress	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E896F-8273-4AA6-A2FC-6D2464A9704E}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D6D73CA2-6336-45C7-8C17-DC912AD6A6F8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.MyPluginName	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79A52A11-4F9E-4F95-8F6A-6848B5A6F41B}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\ = "SerialNumber"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79A52A11-4F9E-4F95-8F6A-6848B5A6F41B}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FC85F66-4D8A-4C1B-BAD8-F084001BED0B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.GetHardDiskInfo\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.SerialNumber\ = "QSGJ.SerialNumber"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D6D73CA2-6336-45C7-8C17-DC912AD6A6F8}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\TypeLib\ = "{99515B73-69C3-42BA-B896-CB23DA1BFD35}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FC85F66-4D8A-4C1B-BAD8-F084001BED0B}\ProgID\ = "QSGJ.GetHardDiskInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.SerialNumber\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{46D9E4E8-F49E-4A9F-9FF4-9F064C279A02}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.Getaddress\Clsid\ = "{79A52A11-4F9E-4F95-8F6A-6848B5A6F41B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E896F-8273-4AA6-A2FC-6D2464A9704E}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E896F-8273-4AA6-A2FC-6D2464A9704E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\ = "_SerialNumber"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\ = "_Getaddress"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\TypeLib\ = "{99515B73-69C3-42BA-B896-CB23DA1BFD35}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{121B113D-6258-4AEF-90D2-49F5501EC7FB}\ = "GetCPUID"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{121B113D-6258-4AEF-90D2-49F5501EC7FB}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FC85F66-4D8A-4C1B-BAD8-F084001BED0B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C69E896F-8273-4AA6-A2FC-6D2464A9704E}\ = "QSGJ.SerialNumber"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{99515B73-69C3-42BA-B896-CB23DA1BFD35}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QSGJ.SerialNumber\Clsid\ = "{C69E896F-8273-4AA6-A2FC-6D2464A9704E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D6D73CA2-6336-45C7-8C17-DC912AD6A6F8}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{82A3F849-41FF-49C5-ACE2-DB500C642B84}\ = "GetHardDiskInfo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53418974-8C46-4B2D-AF9A-345256B4B1C0}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{99515B73-69C3-42BA-B896-CB23DA1BFD35}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61D6A087-D6C8-4ABD-880A-286041423ED4}\TypeLib\ = "{99515B73-69C3-42BA-B896-CB23DA1BFD35}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A30C0BF-5DB4-4938-B39B-E150716F6E17}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe
2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28
PID 2148 wrote to memory of 1632	2148	c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe	28

C:\Users\Admin\AppData\Local\Temp\c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe
"C:\Users\Admin\AppData\Local\Temp\c8e65fa60ec543b7a8d8897c287739929cd0117f2091391371c8271d9214933b.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s qsgj11c.dll
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qsgj11c.dll

Filesize
132KB

MD5
2e9d8414c5f59598db4e97e3377b149e

SHA1
23b0e7c642faeacfbfac117f14fda4e1d941341f

SHA256
6b55304708cf5eef70b719f2fc94b0b95cb4e9c562209ea6253c16a7ff7a280f

SHA512
a01acfcf53b40769d465c9504ec444fa6b0e52b34622c872e9c22ac97bdd9c1d3e8f6af84c6758ad46966d5e27de2d3fdc37af0751ab6cf94671d9a435f76cda

Download Submit
memory/2148-0-0x0000000000400000-0x00000000006E1000-memory.dmp

Filesize
2.9MB

Download