2808cb85a0edc87b2127bff5170bcec6402e0f9ae1cdb2bb7d87f4cf32607271

Analysis

max time kernel
94s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 14:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

zqxst.exe
Size

1.1MB
MD5

94846a45b85e81716436331590f28c24
SHA1

afbab5c313ac2700896de586e2bc6ab754f3e2a5
SHA256

9a27d3b15c676ffd8b4a782d2606abdc76e9d543cc08131d3623e06ca9f04821
SHA512

2cd4b08631f78a2fc9cd6fa88a5c1c3b3f48c9221723fda6f2ae319fa969df233fff6daf5bfd92068decce8ab57d5b0b3667908b40dc54a8d4142d6a58611e4d
SSDEEP

24576:04hGSaNuhHixn3PQOjqSu15VetYaKWUQSjMq0UJcak0Ca:0MFyQcMwYvfM/o

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	zqxst.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	imeinstaller.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3524-0-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/3524-65-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Drops file in Program Files directory 59 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\zhpy\k2wpPyNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\k2wpSpMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\Licence.txt	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\w2kSpNum.tab	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\codePyMain.pmt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\IMEUnInstaller.exe	zqxst.exe
File created	C:\Program Files (x86)\zhpy\phrase.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\pmSpMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\w2kSpMain.tab	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\IMEInstaller.exe	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\pmPyMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\w2kPyNum.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpySP.pmt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\codePyMain.pmt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\k2wpPyMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\k2wpSpNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\phrase.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\phraseSorted.tab	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpySPMain.pi	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\w2kPyMain.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpyPY.pmt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\phraseSorted.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\pmPyNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\SysInfo.exe	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpySP.pmt	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\Licence.txt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\pmSpNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\w2kSpMain.tab	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpy.chm	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpyPY.pmt	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\k2wpPyMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\phraseSorted.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\pmSpMain.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\w2kPyNum.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\codePyNum.pmt	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\codePyNum.pmt	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpy.bmp	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpy.ime	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\IMEUnInstaller.exe	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\k2wpPyNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\k2wpSpNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\pmSpNum.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpy.bmp	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\DicManage.exe	zqxst.exe
File created	C:\Program Files (x86)\zhpy\pmPyMain.lib	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\pmPyNum.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\w2kSpNum.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\SysInfo.exe	zqxst.exe
File created	C:\Program Files (x86)\zhpy\w2kPyMain.tab	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpy.ime	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpySPNum.pi	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\zhpySPNum.pi	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy\phraseSorted.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\DicManage.exe	zqxst.exe
File opened for modification	C:\Program Files (x86)\zhpy	zqxst.exe
File created	C:\Program Files (x86)\zhpy\k2wpSpMain.lib	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpy.chm	zqxst.exe
File created	C:\Program Files (x86)\zhpy\zhpySPMain.pi	zqxst.exe
File created	C:\Program Files (x86)\zhpy\IMEInstaller.exe	zqxst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqxst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imeinstaller.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4928	imeinstaller.exe
4928	imeinstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 4928	3524	zqxst.exe	86
PID 3524 wrote to memory of 4928	3524	zqxst.exe	86
PID 3524 wrote to memory of 4928	3524	zqxst.exe	86

C:\Users\Admin\AppData\Local\Temp\zqxst.exe
"C:\Users\Admin\AppData\Local\Temp\zqxst.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files (x86)\zhpy\imeinstaller.exe
  "C:\Program Files (x86)\zhpy\imeinstaller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\zhpy\IMEInstaller.exe

Filesize
244KB

MD5
a10919a708fefc44c35a8d8ccb62637b

SHA1
a7e3e936d867c9587e7a16e74baa2243cf5195bd

SHA256
a921af3eea3620df7ed5741ad03a0294306f7cb3b6177f24ee70ee93fe701ce2

SHA512
2b43851c5366c199ab8c9c1b57ea4441e9bdf6e5f990aecc1b83a1d81f3001fcf5978ec4dae64ce2df5c1399799c3540ab59ef800f2cdebf4473d4c6639b8102

Download Submit
C:\Program Files (x86)\zhpy\licence.txt

Filesize
1KB

MD5
54986f00de3b6f1b70f08ee59a6a2fc4

SHA1
075420cef912ad1a5db983e901fb26c84eb479c5

SHA256
ad159cc21d2b27be0b2558395ae400ba35d277a026490d2adaf0255e8be3289e

SHA512
9e256ae7240c8e827bb7d08350795f6538870729fa589b7fadc27a66ce7ae0432a0f8e27e8e034bcf40567ed2458a78aff6b7ae7f7cf33c036f97164fd68cc8d

Download Submit
memory/3524-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3524-65-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download