a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
Size

10.8MB
MD5

742e394a64900dbe1f229f9c8722736e
SHA1

5022d87144b2ddebcb00a056c0fc0de159eb4167
SHA256

a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d
SHA512

b91dd950882a78f1faa50622b63556d4c06ebf214a19c866494df4e1f81e1495d7db6110973427af363a7588b3fe430716958d09168adf48eb0887467c5e55ce
SSDEEP

196608:hl9nHyKVAHYnN9BrwQrm7ZrYUMC94jmvBZITGi:hl9HBAHYnpW7ZrYUb94jm5ZIT

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
556	QS-197.exe

Loads dropped DLL 3 IoCs

pid	Process
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
556	QS-197.exe
556	QS-197.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2492-44-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-32-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-48-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-46-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-42-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-40-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-38-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-37-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-34-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-30-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-28-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-26-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-24-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-23-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-20-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-18-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-16-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-14-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-12-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-10-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-8-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-7-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/2492-6-0x0000000003B40000-0x0000000003B7E000-memory.dmp	upx
behavioral2/memory/556-113-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-125-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-123-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-121-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-119-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-117-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-115-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/556-114-0x0000000003A70000-0x0000000003AAE000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysqs.dll	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
556	QS-197.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\MultiGame.dll	QS-197.exe
File opened for modification	C:\Windows\MultiGame.dll	QS-197.exe
File created	C:\Windows\MultiGame.dll	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
File opened for modification	C:\Windows\MultiGame.dll	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QS-197.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
Token: SeDebugPrivilege	556	QS-197.exe
Token: SeDebugPrivilege	556	QS-197.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe
556	QS-197.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 556	2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe	98
PID 2492 wrote to memory of 556	2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe	98
PID 2492 wrote to memory of 556	2492	a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe	98

C:\Users\Admin\AppData\Local\Temp\a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe
"C:\Users\Admin\AppData\Local\Temp\a31fff8fad1071fd0911b609c2111a25dff8990b3960652c26b2b5cf9a359b1d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\QS-197.exe
  C:\Users\Admin\AppData\Local\Temp\QS-197.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QS-197.exe

Filesize
10.9MB

MD5
e3e460e727f62a0ae4bf8e30cca6c9af

SHA1
5eadf9282493fb662bd1e38abecb783b39166555

SHA256
fcc0d74d5fd6564881c395b907f574560c317bbd0ab35df980a053374deebeb0

SHA512
209befa81c2a164e3325cb4449d7b6c83c21d4c1f52e79fb3e02390f81f85842cdad71d96fcd688236f57e937fe0c6c17681f88fdc07a94b72e3962e9c0bdb23

Download Submit
C:\Users\Admin\Desktop\ÅäÖÃ²Ëµ¥.ini

Filesize
1KB

MD5
ee2b6938b5c7b4419c1cc258da1fec15

SHA1
b185d03c64257c187b69ce6721979bd356eb2e2e

SHA256
c281d447bf6e6906d58bde634b1078705ba7b8cd654886b8bfbd7ccbbd5ecdf0

SHA512
bb5372c8247bc2514b6ad41f74bbd07272a845a1f9d3725b3f11226db31902a4f7a9385a0aeddbf4836b382297e299ea4d1d6dea3c81dd26bd2986bb8432ecd7

Download Submit
C:\Windows\MultiGame.dll

Filesize
155KB

MD5
e81487a471f97460148649350f875f84

SHA1
e2d0287ec204e3d499b7d27988bc8a55e69d338e

SHA256
96e89726f45eb75958bd4c4f508ef38336da83eca64993d39c9335600525a20d

SHA512
9032636dd2bfb75c20deb14ad3a4e2e25e8acfa72f6830c779e759e15d7c0e0acc649bf157500917b01dd60aecd58f6ee2e055dfeea5022829cd757e5241f7d7

Download Submit
memory/556-114-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-113-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-96-0x0000000000400000-0x0000000001BD2000-memory.dmp

Filesize
23.8MB

Download
memory/556-95-0x0000000001E70000-0x0000000001E71000-memory.dmp

Filesize
4KB

Download
memory/556-115-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-117-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-119-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-121-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-123-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/556-125-0x0000000003A70000-0x0000000003AAE000-memory.dmp

Filesize
248KB

Download
memory/2492-51-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-57-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-38-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-37-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-34-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-30-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-28-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-26-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-24-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-23-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-20-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-18-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-16-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-14-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-12-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-10-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-8-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-7-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-49-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-6-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-50-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-42-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-52-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-53-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-54-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-55-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-56-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-40-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-58-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-65-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-69-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-70-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-71-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-72-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-73-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-74-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-81-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-82-0x0000000000B62000-0x00000000010CF000-memory.dmp

Filesize
5.4MB

Download
memory/2492-83-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-84-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-85-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-46-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-48-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-32-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-44-0x0000000003B40000-0x0000000003B7E000-memory.dmp

Filesize
248KB

Download
memory/2492-5-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-2-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-1-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/2492-86-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-87-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-88-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-89-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-156-0x0000000000B62000-0x00000000010CF000-memory.dmp

Filesize
5.4MB

Download
memory/2492-157-0x0000000000400000-0x0000000001BA6000-memory.dmp

Filesize
23.6MB

Download
memory/2492-0-0x0000000000B62000-0x00000000010CF000-memory.dmp

Filesize
5.4MB

Download