9af29ab586c332282df764999daf6166e3c6676d22ede5afab11294a5ccb3a91

General

Target

d88384b40665edeedbad3f1bed2a8de0N.exe
Size

612KB
MD5

d88384b40665edeedbad3f1bed2a8de0
SHA1

d46bc5b9e8598033a440569bf48bc6525837e477
SHA256

9af29ab586c332282df764999daf6166e3c6676d22ede5afab11294a5ccb3a91
SHA512

7cd74eb362adfcc7d209a369c43cca367e7fee62b8f076549806089c33ed50e089c62fb53c02c82ed46db3954b90d87861a741b2ecfc7c42b95cce2eddfcb661
SSDEEP

12288:TGtAtScw3qEKBSGtAtScw3qEKBSGtAtScw3qEKB:814511451145

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2440	QXGG.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	QXGG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\KZYJ.EXE \"%1\" %*"	QXGG.EXE

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2084-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x000700000002361d-10.dat	upx
behavioral2/memory/2440-23-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x0009000000023616-22.dat	upx
behavioral2/memory/2084-26-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-27-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-28-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-33-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-34-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-35-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-36-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-37-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-38-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-39-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-40-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-41-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/2440-42-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XJJQUIU.EXE = "C:\\Windows\\XJJQUIU.EXE"	d88384b40665edeedbad3f1bed2a8de0N.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\R:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\K:	QXGG.EXE
File opened (read-only)	\??\G:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\N:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\R:	QXGG.EXE
File opened (read-only)	\??\H:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\M:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\T:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\E:	QXGG.EXE
File opened (read-only)	\??\P:	QXGG.EXE
File opened (read-only)	\??\Q:	QXGG.EXE
File opened (read-only)	\??\K:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\L:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\P:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\S:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\O:	QXGG.EXE
File opened (read-only)	\??\U:	QXGG.EXE
File opened (read-only)	\??\I:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\O:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\G:	QXGG.EXE
File opened (read-only)	\??\I:	QXGG.EXE
File opened (read-only)	\??\J:	QXGG.EXE
File opened (read-only)	\??\L:	QXGG.EXE
File opened (read-only)	\??\V:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\N:	QXGG.EXE
File opened (read-only)	\??\M:	QXGG.EXE
File opened (read-only)	\??\S:	QXGG.EXE
File opened (read-only)	\??\E:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\J:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\U:	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened (read-only)	\??\H:	QXGG.EXE
File opened (read-only)	\??\T:	QXGG.EXE
File opened (read-only)	\??\V:	QXGG.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\QXGG.EXE	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened for modification	C:\Program Files\QXGG.EXE	d88384b40665edeedbad3f1bed2a8de0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XJJQUIU.EXE	d88384b40665edeedbad3f1bed2a8de0N.exe
File opened for modification	C:\Windows\XJJQUIU.EXE	d88384b40665edeedbad3f1bed2a8de0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88384b40665edeedbad3f1bed2a8de0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QXGG.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\XJJQUIU.EXE %1"	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	QXGG.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Windows\\XJJQUIU.EXE %1"	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	d88384b40665edeedbad3f1bed2a8de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Windows\\XJJQUIU.EXE %1"	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	d88384b40665edeedbad3f1bed2a8de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\KZYJ.EXE \"%1\" %*"	QXGG.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	d88384b40665edeedbad3f1bed2a8de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\XJJQUIU.EXE \"%1\""	d88384b40665edeedbad3f1bed2a8de0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	d88384b40665edeedbad3f1bed2a8de0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\XJJQUIU.EXE \"%1\" %*"	d88384b40665edeedbad3f1bed2a8de0N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2440	QXGG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2440	2084	d88384b40665edeedbad3f1bed2a8de0N.exe	90
PID 2084 wrote to memory of 2440	2084	d88384b40665edeedbad3f1bed2a8de0N.exe	90
PID 2084 wrote to memory of 2440	2084	d88384b40665edeedbad3f1bed2a8de0N.exe	90

C:\Users\Admin\AppData\Local\Temp\d88384b40665edeedbad3f1bed2a8de0N.exe
"C:\Users\Admin\AppData\Local\Temp\d88384b40665edeedbad3f1bed2a8de0N.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files\QXGG.EXE
  "C:\Program Files\QXGG.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4012,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\QXGG.EXE

Filesize
613KB

MD5
917b8ddcd59e6037b461840a627c16de

SHA1
2974d2dbe6d47b99136e4626eef8488819d0d636

SHA256
c70520cf741dccd6e9ec1c29c3c6664a135621de405ba80e0577d5be00f74d08

SHA512
a7b75443154c6812b1bb655ae810bb0bb67077f85ad6f744ed09da4a231ef4644b9c7186786dabd90093095cb45193e2ac9676b3d5d84ddb514484aae677b79f

Download Submit
C:\Windows\XJJQUIU.EXE

Filesize
613KB

MD5
55f2e0dfa9e1db261b1de32ccfc8c648

SHA1
b0234d7bf204526226ebfc842f7820d81be08de0

SHA256
2aca4ebbebe51a098a98c911bcd8d0bbaee8c3ba8765b571ce7997f0c9c16308

SHA512
8bec22cec1ecd64ed21a7fc70db27b12671290d570ca15f41bef61a1e6e78705659f28596b5d3c35d6f1e4b16aa6057cb3f70ed2327e4b17fc66baa302684a11

Download Submit
\??\c:\filedebug

Filesize
244B

MD5
97b2dafb4de212c5cc6fb2daffb024a2

SHA1
b907fbba71341930c7cf87d0d7f582f2a2822ce4

SHA256
f8dd2051165235f6092e491e49fba576c83a8a98f0ea0b7543fae91bea913f46

SHA512
39ded9dc466b07f8fbe107a062fe60f28dd402470fc7a40b6376f8b66f54f562462f143620b935a905c826ce703a9bfb0918bbc4f88d4114f65f191bc7f028c6

Download Submit
memory/2084-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2084-1-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2084-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-24-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2440-35-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-29-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2440-23-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-34-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-41-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads