38d649558fc4d9746a3e69a28c1e7c1a003f8116e2a13d7f22b0fba9066dacb2

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 15:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

qxlti2008.exe
Size

782KB
MD5

fc6b961cd776153e9425738816186a61
SHA1

c9b2f2b0bacdbcf5936da0f78ffdffaa421b1a44
SHA256

40b94ba25bec939535ea5e21991cf552503379fc8da7ed8635f3eabde6513a7a
SHA512

83ee5ca27608c2fc2fc8318d20105889ff05a95de9f7a527c75d3e909f919455f8b437c296b731555739d5211ca6414810ec85ad03d3a9160977125aa01967c4
SSDEEP

24576:pNSIjNmX+VSNCvwNuDNZrRO8o41nrUXE0:pNSIjNmdNCvPLJt1nz0

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000018e46-10.dat	acprotect

Loads dropped DLL 3 IoCs

pid	Process
1568	qxlti2008.exe
1568	qxlti2008.exe
1568	qxlti2008.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000018e46-10.dat	upx
behavioral1/memory/1568-12-0x0000000002BA0000-0x0000000002C27000-memory.dmp	upx
behavioral1/memory/1568-13-0x0000000002BA0000-0x0000000002C27000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~GLH0001.TMP	qxlti2008.exe
File opened for modification	C:\Windows\SysWOW64\plpl.dll	qxlti2008.exe
File created	C:\Windows\SysWOW64\GLBSINST.%$D	qxlti2008.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxlti2008.exe

C:\Users\Admin\AppData\Local\Temp\qxlti2008.exe
"C:\Users\Admin\AppData\Local\Temp\qxlti2008.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GLC1075.tmp

Filesize
161KB

MD5
315f8d68ff1a414806e7344ac8dd8b6d

SHA1
8fe6719bdf12244e8ef154e36c77ec487dbafeff

SHA256
90b9dfcb65f6e6cd0123f44cbf8310659f4c7ca4488a57d3045f72d55a9771e9

SHA512
95a5efdaf8f620f85838be6eb59768a421059595c1e07dd6680aac3bfd371075f1c9528cb2dceefb333c72ed6821a6e592ca7d16e2923f39212a0e1ffdba296a

Download Submit
\Users\Admin\AppData\Local\Temp\GLK1095.tmp

Filesize
33KB

MD5
a6601202dda81c941e14dd79878ca61d

SHA1
a436aa8bd1d6b501d30f01c4587fb32d513038f4

SHA256
7906a8f868986edda9f7c4df0d93ed862959b81344a475f452b9e31c1aece464

SHA512
c27d32541f21e0a5aa45939855d4cddfec04ec466a1231d419b29cf07157751bf778ef851868181a0392fbe6ddcabf372b7a2d35519b5b3a2bda21ff7192a5b4

Download Submit
\Windows\SysWOW64\plpl.dll

Filesize
197KB

MD5
de77ceeaecb94c40c4eea243de5c3578

SHA1
fb7a7c91623c4c288889f4ff9979aaaf72d5aa50

SHA256
a23323d736a9759c48ff610dbf2be700bd1bc910a0316082336d50bbd7d28cea

SHA512
fc5b289677ddc87fba435823183857503d8d5aa21600137f27e7a04fb491dafc0d423ba89cdab9a6809b9161530b910721b7c6f8039d83574959b946302e8d3e

Download Submit
memory/1568-12-0x0000000002BA0000-0x0000000002C27000-memory.dmp

Filesize
540KB

Download
memory/1568-13-0x0000000002BA0000-0x0000000002C27000-memory.dmp

Filesize
540KB

Download