Overview
overview
3Static
static
1qemu-9.1.0...ump.pl
windows10-2004-x64
3qemu-9.1.0...ids.pl
windows10-2004-x64
3qemu-9.1.0...eck.pl
windows10-2004-x64
3qemu-9.1.0...rem.js
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...lib.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...fig.py
windows10-2004-x64
3qemu-9.1.0...ray.sh
windows10-2004-x64
3qemu-9.1.0...ive.sh
windows10-2004-x64
3qemu-9.1.0...d2c.sh
windows10-2004-x64
3qemu-9.1.0...ME.vbs
windows10-2004-x64
1qemu-9.1.0...ME.vbs
windows10-2004-x64
1qemu-9.1.0...DME.sh
windows10-2004-x64
3qemu-9.1.0...efs.js
windows10-2004-x64
3qemu-9.1.0...te.vbs
windows10-2004-x64
1qemu-9.1.0...rec.sh
windows10-2004-x64
3qemu-9.1.0...onsole
windows10-2004-x64
1qemu-9.1.0...onsole
windows10-2004-x64
1qemu-9.1.0...ot.vbs
windows10-2004-x64
1qemu-9.1.0..._param
windows10-2004-x64
1qemu-9.1.0...nd_cmd
windows10-2004-x64
1qemu-9.1.0..._image
windows10-2004-x64
1qemu-9.1.0...ersion
windows10-2004-x64
1qemu-9.1.0...us.vbs
windows10-2004-x64
1qemu-9.1.0...mp.vbs
windows10-2004-x64
1Analysis
-
max time kernel
129s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
qemu-9.1.0-rc0/roms/ipxe/src/util/sortobjdump.pl
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
qemu-9.1.0-rc0/roms/ipxe/src/util/swapdevids.pl
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
qemu-9.1.0-rc0/roms/ipxe/src/util/symcheck.pl
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
qemu-9.1.0-rc0/roms/opensbi/lib/utils/libquad/qdivrem.js
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/allnoconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/allyesconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/defconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/genconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/kconfiglib.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/menuconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/oldconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/olddefconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/savedefconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/Kconfiglib/setconfig.py
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/carray.sh
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/create-binary-archive.sh
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
qemu-9.1.0-rc0/roms/opensbi/scripts/d2c.sh
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/doc/README.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/doc/README.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/doc/README.sh
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/bddb/defs.js
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/gdb/remote.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/img2brec.sh
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/jtagconsole
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/netconsole
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/scripts/dot.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/scripts/flash_param
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/scripts/send_cmd
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/scripts/send_image
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
qemu-9.1.0-rc0/roms/u-boot-sam460ex/tools/setlocalversion
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
qemu-9.1.0-rc0/system/cpus.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
qemu-9.1.0-rc0/system/qemu-seccomp.vbs
Resource
win10v2004-20240730-en
windows10-2004-x64
General
-
Target
qemu-9.1.0-rc0/roms/ipxe/src/util/sortobjdump.pl
-
Size
1KB
-
MD5
c57a5cbd15428280adfacdc57d48840e
-
SHA1
4bb74e58415ffaf34aa066202607e0c386faf3c6
-
SHA256
dd9e380fee93d0e6b5732ba4070e0da455d02abb903e12c525ef008c1b3116bc
-
SHA512
53f5536bd7d455b0c0e9473d4dbc13a2c4e4700ad5629d7ce6b72e673aac1e4831a9765ca03acd6cf231d4cf737d9d8134947f8877ad0348291df75887b459b5
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\.pl\ = "pl_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\.pl OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\∀谀耎 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\∀谀耎\ = "pl_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\pl_auto_file\shell\open\command OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1228 OpenWith.exe 4452 OpenWith.exe -
Suspicious use of SetWindowsHookEx 54 IoCs
pid Process 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 1228 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe 4452 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1228 wrote to memory of 872 1228 OpenWith.exe 87 PID 1228 wrote to memory of 872 1228 OpenWith.exe 87
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\qemu-9.1.0-rc0\roms\ipxe\src\util\sortobjdump.pl1⤵
- Modifies registry class
PID:4936
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\qemu-9.1.0-rc0\roms\ipxe\src\util\sortobjdump.pl2⤵PID:872
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4300
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:2568