bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
Size

1.1MB
MD5

829d20fa19b38f9aa8b6bc04ab13bf1d
SHA1

e15c1288661dc8d75dd978f283010e7190962619
SHA256

bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374
SHA512

7439af6225cb088ba16fc59ca4532d76ac64b7009176f94950bd339ce5353dcb9eac045f65e8812be9b1bb390a736a0ef44e5a7cd8ad5012bf713b912e00ee50
SSDEEP

12288:GGzQYR4IeaAVB6ETW82Ku8UKfdndrboYj+/lhRkZxBI+wY:G8lgaAVB6evW8UKlndr6/zRkVI+3

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	jekkhhe.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1492-0-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/files/0x00070000000234dd-13.dat	upx
behavioral2/files/0x000100000000002e-43.dat	upx
behavioral2/memory/2920-55-0x0000000000400000-0x000000000046F000-memory.dmp	upx
behavioral2/memory/1492-56-0x0000000000400000-0x000000000046F000-memory.dmp	upx

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\m.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\jekkhhe.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File opened for modification	C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\jekkhhe.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\system32\spool\DRIVERS\W32X86\3\qguisqs\qguisqs.exe	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\Help\upbiran.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\Help\1.sqguisq	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\SysWOW64\Help\2.sqguisq	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 548	2920	jekkhhe.exe	88

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Help\sqguisq.hlp	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File created	C:\Windows\2.ini	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
File opened for modification	C:\Windows\	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4072	548	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jekkhhe.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2920	1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	87
PID 1492 wrote to memory of 2920	1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	87
PID 1492 wrote to memory of 2920	1492	bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe	87
PID 2920 wrote to memory of 548	2920	jekkhhe.exe	88
PID 2920 wrote to memory of 548	2920	jekkhhe.exe	88
PID 2920 wrote to memory of 548	2920	jekkhhe.exe	88
PID 2920 wrote to memory of 548	2920	jekkhhe.exe	88
PID 2920 wrote to memory of 548	2920	jekkhhe.exe	88

C:\Users\Admin\AppData\Local\Temp\bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe
"C:\Users\Admin\AppData\Local\Temp\bd468b5bc7e32cdf7ca776b4886440be1d5608d13d71acae3d911d718945f374.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\jekkhhe.exe
  C:\Windows\system32\sqguisq\sqguisq\wrvvuqp\jekkhhe.exe -close
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -NetworkService
    3⤵
    PID:548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 12
      4⤵
      Program crash
      PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 548 -ip 548
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Help\1.sqguisq

Filesize
26B

MD5
13b77bc12a7d3a19519e76ee0f6dd6f5

SHA1
c0e896cb477b2919faa23e34e01319928f44a15f

SHA256
21e9fcca170e06a30cc5823bed66b8ae1e60e5402e16afb455b7ae9c523f582b

SHA512
b08a6c2bb438c46546bf235ad15042ce612cdb2e536ba40a5c0d3d579a3555c6e710cf0a21261f3225726a9d3d25e132250830cadaf44e8f63a816d25c4207c6

Download Submit
C:\Windows\SysWOW64\Help\2.sqguisq

Filesize
18B

MD5
7240c620c728aa60f9102c3948e0ecc3

SHA1
73fef5bae4f9bfc5408ed11c9224b48528615730

SHA256
358572606e147cec4b016863c47a0c5e5938ecf219010728894cbc3750c223b3

SHA512
3100b08bac05fcd1522334bc277891249da8ef55b6798454119a0be63060e001289609e28c8c6901c71add92fe252c091a703b1155985037f4766461007abd2f

Download Submit
C:\Windows\SysWOW64\Help\upbiran.ini

Filesize
18B

MD5
ba89d39c828ce917c5a48fcf5179ce4a

SHA1
81354e6a2f008dbce343b70ac6e6345d02b5c8f2

SHA256
28a569ef049350a75fbbd1ed11c30282396c9fa86517beb741c086b0eef17c6f

SHA512
a1e1663b44239d499650ecf6aed95114db88fd7a4e659091800dbc43e62c7353da76baba2c0876f74763204f4e9404ee4ff3512d57cd5448f23c68ca22a2e361

Download Submit
C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\jekkhhe.exe

Filesize
6.4MB

MD5
a7842be2a5c1e810c7dff5c4a0b32d27

SHA1
f855df98b4bac005cf2b3db7c3c8918cac3632a8

SHA256
d6e5e903b146eea13d129c11ff6c5c2a02185f225e35275960f97b821859c9b5

SHA512
73c9f9ba9f5b4d0694c194f2a6b311e6c97bc74964045af386a35e48e04a321d149ed9201ba660f4c338c09187a923e86091c0b7b8a91dac8f7fc7941e11f2b2

Download Submit
C:\Windows\SysWOW64\sqguisq\sqguisq\wrvvuqp\m.ini

Filesize
128B

MD5
6e2996b4ed6fa12c5fb6f7db7b8b08fe

SHA1
7443d8b49f5c0d3cffc54c955f32ff5c8c471c2e

SHA256
f68658e3c3c146a53d8fe8ef790e04bff05a3b1b7fd84731fa607c671287d125

SHA512
112057e2e5201208f9c1525837f1bc82b675553a9c67188b7ffb3f0619483f667bf0e90b3cece15f42e9bc0b2e16bb047f075e090da9a0c8aabd43a27ee8ea20

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs000.IMD

Filesize
112KB

MD5
d1f3fd64451c7f1547ab217bccdf4efb

SHA1
1c84e5e4b986f2c3e073bd634ab116c466150e3a

SHA256
dfd4ddf2620e32250d308193da29543aa0a328ef598cad4e2bfb7e141d099a02

SHA512
fd02cae93f3286cd7f33969a8db93ff00613a28c433f843f912a540ca6a7992fcaf8c2e2cdce76f0b1170a8d4bd7f7ea58b832992e8b2f5992f3ad8900e33d6a

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs001.IMD

Filesize
112KB

MD5
c7697f8bed20beb9f36ce656d06e33ed

SHA1
39a70193549c2eff56a156f6865a800458358cd8

SHA256
dada6a560ccb42d109627262776aa72f8d30657530d8182b177d3aeccd5b1095

SHA512
ee1a8a97903d820887f0080dd99042e28d66b25294e41306116c914619d10ac0a1bdf42f02b695e3186aa5c72322153f0d55b1de32a961cfc4cabdee0f08fab3

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs002.IMD

Filesize
112KB

MD5
cc2a32ee2cf17624f78c5003e4c5dfb4

SHA1
b273287977f5d8f9ee921eedbfa2d74955060ec8

SHA256
1fbb36e87b0922023a3aa6fc7f44eeb9a17a934385c02dde42b47f9f5330b482

SHA512
5f8ccb5a880c6b80ca83d6b9757e96735d743ffb78a7f5dfce5948e7f272816c59d75daf0c8cae7b2d69d0067ca6e8a4a0008eb355e8adf02016d80d2c805fda

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs003.IMD

Filesize
112KB

MD5
901b863fbeae24bb646fdb1e6b13188d

SHA1
e2398e173a6d50935b8b84c31f33b541572d5add

SHA256
8e78dd9e10d1c56354a090b5ec140a77d54bdcb1ea55b00f74830863378f7566

SHA512
1c74dff0af7c6b168f767d86798152875be2e1ceb6e1080b5e126cb95593bb3e87e097ea561535855b846f35b95a09ad9ab2833957ea117dfcf23c745726a46c

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs004.IMD

Filesize
112KB

MD5
f1499e3f03a4b4a98686c0e43c5e79fb

SHA1
28003a1b01ffc2501ad5d45ecbac742778435412

SHA256
ce07dc23f76d499f95000a23f39b2a8093d292c5c38b66545445b99cc945f6b3

SHA512
3e964c6492bc0b0527f9b9dd1668a9d79f3eff9ee7460c6e1d72d8310eb3f79e88e6529d8295485b2b865e2bbe4b5defcdd6e7a93bae7414bfe5e7f080d83ca2

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs005.IMD

Filesize
112KB

MD5
25753489da4c26288c05c246d93aa907

SHA1
6460c70c0fa74b7cc2b0108853171f9feac2b6bc

SHA256
f9e53741b6c17ec9ff37449aa2e166c194329b5b46c79cea512581c68b90ab22

SHA512
fe131a686318b1ffbb6567b182e53aaa52d6dc84eafd42b29204f3397352afca3433d89c60697809c75e550acfc1ef6a3ad0292868f5270f13be17d952d56a90

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs006.IMD

Filesize
112KB

MD5
94d6a5e3ed266479e7f73c879420949e

SHA1
2c7e3b68d7e80e1d98886b07dd01136140c4fcd2

SHA256
65acbf3e49ae7647ed654b83dac4e986e3aaa4f441da4044b32d80304b260772

SHA512
41f781cfd9229d41bb5626c7eac4282cf3c0aa8e1e059a2464ddf74f343a1572392f33129962f3c1b96733c3cb9881c4d8f6c26c8da27af20399453997ecfef3

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs007.IMD

Filesize
112KB

MD5
d94b58147fe7430d607196d718dd8731

SHA1
71d0827973b5f7daa0bd90a965d2774eccfd701c

SHA256
a604e0d6094c7cdb74d8c7494532c465ef167701a4d932e12100303af4660b6e

SHA512
94b2b7a738bbad40946baf9c24185ac887625000ae5be271e966dc1dea31c5020fd79c3a35e43cb5f3a8ecc35ede5f920b6f02d079cffc22fcc2bf4b0aa4bb38

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs008.IMD

Filesize
112KB

MD5
3bfd7144c6c393e987f3a481a46ab484

SHA1
cfca3c3c4dbb244964041ef810bd26e3acd88a41

SHA256
af2ff68c03c8c8305c13f64117e3410ae415dd23a429045bcb0d1f922d1ab16b

SHA512
bb58071c10480323b16482b6422c34158aa9018458e9bac37ac62afa6d9fc151ffcf4439a7fc4649cdb52097b3eb4df7af1f4012061bfb71af64a1a322b48053

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs009.IMD

Filesize
112KB

MD5
28c44d1ee9e84359c97ba2a410c51026

SHA1
c2ddebe007ecb856f7102191360bfc222f7e991c

SHA256
0c6f4023362db58ffdcb8e131843bec9a6526f26e8336409dcc7090b39445c6b

SHA512
fe1079071ecad961aca0d1105b951a669ccf8d53212b68a0f5809a9814265fdfeac125f7e0331c6d3b2c673609ea44bd54d467b172bd1de8e9df1eac5746f9d9

Download Submit
F:\RECYCLER\S-1-5-18\Dc8\qguisqs\qguisqs010.IMD

Filesize
1B

MD5
6f8f57715090da2632453988d9a1501b

SHA1
6b0d31c0d563223024da45691584643ac78c96e8

SHA256
62c66a7a5dd70c3146618063c344e531e6d4b59e379808443ce962b3abd63c5a

SHA512
f14aae6a0e050b74e4b7b9a5b2ef1a60ceccbbca39b132ae3e8bf88d3a946c6d8687f3266fd2b626419d8b67dcf1d8d7c0fe72d4919d9bd05efbd37070cfb41a

Download Submit
memory/1492-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1492-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2920-55-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download