Overview

overview

8

Static

static

7

v2_builds_...er.exe

windows10-2004-x64

8

v2_builds_...er.exe

windows11-21h2-x64

8

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...up.exe

windows10-2004-x64

8

$PLUGINSDI...up.exe

windows11-21h2-x64

8

QuiverPhotos.exe

windows10-2004-x64

8

QuiverPhotos.exe

windows11-21h2-x64

8

Resubmissions

09-07-2024 21:40

240709-1jl9bayglb 8

09-07-2024 21:37

240709-1gr2saxclm 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    v2_builds_latest_QuiverPhotos-amd64-installer.exe

  • Size

    14.6MB

  • Sample

    240709-1jl9bayglb

  • MD5

    118c5e378a05b3e19999653e938db12a

  • SHA1

    da04d3401171beb3290d560f7e204df6e6cb3dd0

  • SHA256

    5a1191d2527486f195ab010ad2bd770019ea9c881496d757e2ba1b0f31115fba

  • SHA512

    e44dbfb90645846ccde0e787809ce2f86f170f6f633f264052c14ff9666ec20e4912d54946b03488fa87b377753efd6381cc345c8fb9d095c9416b6229ac6015

  • SSDEEP

    393216:FOs3Q0m9o8Ip/zONs9fot1FZDfGJgS426hS:F/3Q0m9c/zrfotbxGCS42v

Score
8/10
discoveryevasionpersistenceprivilege_escalationtrojanupx

Malware Config

Targets

    • Target

      v2_builds_latest_QuiverPhotos-amd64-installer.exe

    • Size

      14.6MB

    • MD5

      118c5e378a05b3e19999653e938db12a

    • SHA1

      da04d3401171beb3290d560f7e204df6e6cb3dd0

    • SHA256

      5a1191d2527486f195ab010ad2bd770019ea9c881496d757e2ba1b0f31115fba

    • SHA512

      e44dbfb90645846ccde0e787809ce2f86f170f6f633f264052c14ff9666ec20e4912d54946b03488fa87b377753efd6381cc345c8fb9d095c9416b6229ac6015

    • SSDEEP

      393216:FOs3Q0m9o8Ip/zONs9fot1FZDfGJgS426hS:F/3Q0m9c/zrfotbxGCS42v

    Score
    8/10
    persistenceprivilege_escalationdiscoveryevasiontrojanupx

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/InstallOptions.dll

    • Size

      32KB

    • MD5

      1f24c9859dd6639d0c752d7b96a2442d

    • SHA1

      7014f711d1d06cdc3d5bae678aad29e8b9ebcfd2

    • SHA256

      657672be6ea8a72fb4765074cfda019fb8fa4eacb3238a416c186f53919d7cf4

    • SHA512

      7a488b27031e76873623142e66355d45a2bcd13d0fe235b93db1f92bb5c6658c4b689131672cacdad7b5a3204fca3fdbe020066f442b3a0db17fcf85f3eabf96

    • SSDEEP

      384:PnpIqrPKteJM6zAzlq0BnPr681qrSYc/RHXCtk6tztN4Ykvdv7WbHwyx1I83cwTv:PpI8yU0tmC/hS3NfgvtQt28PEslxo

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      28KB

    • MD5

      81e34f1c4b04a15dbce200c52f598f67

    • SHA1

      f40a922ad7a5494e2aeeaa2b961d96738e888af7

    • SHA256

      b89448b9fd7be5ef215cac6d973a57c0e75e1fffa25552afe174855c9b71fdf9

    • SHA512

      577f52a292075269f0e8ec4c6d243b2ed411872e009839553020929a8263174ad97943f150543e4ea6cb327d95e227f4065441a9d2106b7cabf1cb872dbcc181

    • SSDEEP

      384:xmEs6sVqQq0DwRiGUaLYuAXLaMoy4m973uwYkvZ6YfkzB8yy1Eiu8ILvFd/9:xmEwqZ2wRiGUcY8TBsdvEbB8yyvIJ

    Score
    3/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/webview2bootstrapper/MicrosoftEdgeWebview2Setup.exe

    • Size

      1.7MB

    • MD5

      60366cbf515774ffde2b49297c3d2e9b

    • SHA1

      0158273f35fb5069ae6ad2950045d3656e86b444

    • SHA256

      7ebc4ce80143ef89cea86a61ea151502868db6caaa678b8b43660a66ace11c3a

    • SHA512

      b6e1142835e2945f38f478d1ffb9d3f551357d0a65efbe23f4d0a3f4bd4e1933542251233f37f2c47ab5a6cd6b959164b813d43756b49ef72d7dbf73669fa99f

    • SSDEEP

      49152:8S13Oud1Ux5s7EIludZCcYdm4I1VKqlnfU16O8vdR:8SIuHSs4IluPCJAnOudR

    Score
    8/10
    discoverypersistenceprivilege_escalation

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral7behavioral8

    • Target

      QuiverPhotos.exe

    • Size

      13.2MB

    • MD5

      6780eae3b57fd18e332df211a10d3147

    • SHA1

      590cf39c0a17b17df783c8b6d161a0d864eb19cb

    • SHA256

      9abc771cc6af7025e4c42e474aa5c9beb2a32a2bd3136914022fe3af2f242fe6

    • SHA512

      f5db53bae0626946a5d6adfb3e418e71b824d0d2f174ed7fb27368c3dbd72e0b584da899ef7dfc0ca68197e08614737a6519905ed0fe4c43e4e54c88a331b96f

    • SSDEEP

      393216:Oj6sA/GxuA60if1PutEdrClQ//mlZ6X0uqPj:ie0iluYrCq/er1P

    Score
    8/10
    persistenceprivilege_escalationupx

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Tasks