6d0e4fc09ce28fbad98adce3b6bbec515ab0f35ef1f63d38adb575e6c18890ac

Analysis

max time kernel
120s
max time network
115s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a85eea8618c8ea2f164f59dcdd8e430N.exe
Size

218KB
MD5

2a85eea8618c8ea2f164f59dcdd8e430
SHA1

2ac327d04c4c6271f640727517a6ef07fa48e745
SHA256

6d0e4fc09ce28fbad98adce3b6bbec515ab0f35ef1f63d38adb575e6c18890ac
SHA512

eb8501da4bdd6cfc47b15354bd8753c4a14bab8ef52c63e9b6b3b59661de5c94d8dc1fae688673dc04718d484cbb80669aa5578e7ba2378682c25e78967075ed
SSDEEP

3072:BqEH+GiEs2SMylNOjyFbxJz5qwPWYLWX7n6+QPzuy5cs4BfLK4GG0771PFKTtHOc:MsehzRFjutQPzpR41R3HHKXtGZa5Vs

Score

8^/10

discovery evasion execution persistence upx

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2644	Rundll32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2304	QVODSE~1.EXE
2252	Qvod.exe

Loads dropped DLL 16 IoCs

pid	Process
1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe
1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe
2304	QVODSE~1.EXE
2636	Rundll32.exe
2636	Rundll32.exe
2636	Rundll32.exe
2636	Rundll32.exe
1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe
2644	Rundll32.exe
2644	Rundll32.exe
2644	Rundll32.exe
2644	Rundll32.exe
2644	Rundll32.exe
2252	Qvod.exe
2252	Qvod.exe
2252	Qvod.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018b03-32.dat	upx
behavioral1/memory/1804-30-0x0000000000180000-0x00000000001D7000-memory.dmp	upx
behavioral1/memory/2252-48-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-49-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-50-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-51-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-53-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-55-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-56-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2252-58-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2a85eea8618c8ea2f164f59dcdd8e430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\system32\\system.exe"	Rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\avgfactb.dll	QVODSE~1.EXE
File created	C:\Windows\SysWOW64\wvogactb.dll	QVODSE~1.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\KAV\CDriver.sys	Rundll32.exe
File opened for modification	C:\Program Files\KAV\CDriver.Inf	Rundll32.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1720	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a85eea8618c8ea2f164f59dcdd8e430N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QVODSE~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qvod.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2636	Rundll32.exe
2636	Rundll32.exe
2636	Rundll32.exe
2636	Rundll32.exe
2636	Rundll32.exe
2644	Rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe
Token: SeRestorePrivilege	2636	Rundll32.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2252	Qvod.exe
2252	Qvod.exe
2252	Qvod.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2252	Qvod.exe
2252	Qvod.exe
2252	Qvod.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 1804 wrote to memory of 2304	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	30
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2304 wrote to memory of 2636	2304	QVODSE~1.EXE	31
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2636 wrote to memory of 1720	2636	Rundll32.exe	32
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 2304 wrote to memory of 2644	2304	QVODSE~1.EXE	34
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35
PID 1804 wrote to memory of 2252	1804	2a85eea8618c8ea2f164f59dcdd8e430N.exe	35

C:\Users\Admin\AppData\Local\Temp\2a85eea8618c8ea2f164f59dcdd8e430N.exe
"C:\Users\Admin\AppData\Local\Temp\2a85eea8618c8ea2f164f59dcdd8e430N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\avgfactb.dll Exucute
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop PolicyAgent
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:1720
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32 C:\Windows\system32\wvogactb.dll Exucute
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qvod.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qvod.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qvod.exe

Filesize
149KB

MD5
7581986b4b6dbdfa780b2e22f660da71

SHA1
dacd15537be973515e25840d94aa10dea81d7795

SHA256
ff22384b18e3ecea38fdfabdca6d4695a129d411cc517bc96422f5a7ec5ae151

SHA512
9d977a417ebc63ca07c1724e3097c3a3f1a8b602906e7119c55cd9b9c9f45f413bd36b90b1d8755fc8fbe848ad6a3c76a483c02df517b6b6229a9d2fbf412a5f

Download Submit
C:\Windows\SysWOW64\avgfactb.dll

Filesize
57KB

MD5
0b5cc82cd70afcd5b012f7c4be41dd99

SHA1
b7a136d337d7c24ee7e3af622da1a5aa03f3d944

SHA256
65c7abdad7d1afba65c47022306358c35104c2aaf614e36261616a4ad3fe255e

SHA512
8b6616179768b1cc8efc4fb3084a2ff596e512a7078c75e785ebef8bd47654e65c0a2709451c923714ceea3120237315dd2c57eb28e8076862b3f3d656a649ac

Download Submit
\Users\Admin\AppData\Local\Temp\D623.tmp

Filesize
1.7MB

MD5
b5eb5bd3066959611e1f7a80fd6cc172

SHA1
6fb1532059212c840737b3f923a9c0b152c0887a

SHA256
1ffb68a66f28f604adcae9c135f8dcf301316ab7fda8ebd294583c56dd26f7cc

SHA512
6c0743e0ff4922e859ba66b68040ab994dbae33e80c63ce8c993ad31a0c7aad6c6467484da1550063214953cd641dbf597438dd0c02f24164505d88ca80ea1b6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\QVODSE~1.EXE

Filesize
73KB

MD5
ef6b2b097300ec0a81cc063e16305cda

SHA1
66794f1b1f5e47884f4a898fe1f19758c1d787ab

SHA256
989be882d6bf81d19c91567e49c20759bfa5cd7c0f94c8d12c3aa7904a721899

SHA512
abf0466fbff72763144ec44d667eeb4a270f6e8682a0f12bf432054f7ae8683147377c35ad29fce29b99764018ff679a4b5bbfa846295831be47cee57b731c2d

Download Submit
\Windows\SysWOW64\wvogactb.dll

Filesize
10KB

MD5
85213b584ddff3bb5c87dc29b9ba5044

SHA1
0588b5d3abb74ecde921105c3fbca3d73d82fb87

SHA256
51c86d4f585bfc3e7014d02d4c0d5b38b6770a62d39412f0227a954f5b5ad298

SHA512
e11c622837669be193c011c09b53bf51c7af807218084d3358c7f8b185091289123bef33527e062e8df2e0a54fcc867701dac1d86fa15a97edab34b9420cf327

Download Submit
memory/1804-47-0x0000000000180000-0x00000000001D7000-memory.dmp

Filesize
348KB

Download
memory/1804-30-0x0000000000180000-0x00000000001D7000-memory.dmp

Filesize
348KB

Download
memory/2252-46-0x0000000002F70000-0x0000000003174000-memory.dmp

Filesize
2.0MB

Download
memory/2252-44-0x0000000000270000-0x00000000002C7000-memory.dmp

Filesize
348KB

Download
memory/2252-45-0x0000000002F70000-0x0000000003174000-memory.dmp

Filesize
2.0MB

Download
memory/2252-48-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-49-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-50-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-53-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-56-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2252-58-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2304-26-0x0000000001330000-0x0000000001345000-memory.dmp

Filesize
84KB

Download