6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

9b990bb6a27b497a1a19b8665b02b557
SHA1

6118853f672139bde9972d26a0045389c8ae8733
SHA256

6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49
SHA512

2015335dd9db06512e57ab44a8b48ef2672e515c6edfb4024431d531d6d64d97e0ab98cf6cf7259512b0497e6acfd3415ed1399f62bcd4145cee607b10e79eaa
SSDEEP

24576:x9gTHCF+YdCBMGq8TBUfnrO/E7Bup/884hvndKzVDDuy3enn:xejafEBUvyj884uzxDqn

Score

10^/10

discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2568 created 1196	2568	Voyuer.pif	21

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2568	Voyuer.pif
688	Voyuer.pif

Loads dropped DLL 2 IoCs

pid	Process
1268	cmd.exe
2568	Voyuer.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\A0B414E85B1F052A486695C94A1B0D47\\A0B414E85B1F052A486695C94A1B0D47.exe"	Voyuer.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3036	tasklist.exe
2624	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 688	2568	Voyuer.pif	45

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DetectiveBrowsers	file.exe
File opened for modification	C:\Windows\ThrownKnock	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Voyuer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Voyuer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Voyuer.pif

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Voyuer.pif

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Voyuer.pif

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	2624	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2568	Voyuer.pif
2568	Voyuer.pif
2568	Voyuer.pif

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1268	2336	file.exe	30
PID 2336 wrote to memory of 1268	2336	file.exe	30
PID 2336 wrote to memory of 1268	2336	file.exe	30
PID 2336 wrote to memory of 1268	2336	file.exe	30
PID 1268 wrote to memory of 3036	1268	cmd.exe	32
PID 1268 wrote to memory of 3036	1268	cmd.exe	32
PID 1268 wrote to memory of 3036	1268	cmd.exe	32
PID 1268 wrote to memory of 3036	1268	cmd.exe	32
PID 1268 wrote to memory of 3044	1268	cmd.exe	33
PID 1268 wrote to memory of 3044	1268	cmd.exe	33
PID 1268 wrote to memory of 3044	1268	cmd.exe	33
PID 1268 wrote to memory of 3044	1268	cmd.exe	33
PID 1268 wrote to memory of 2624	1268	cmd.exe	35
PID 1268 wrote to memory of 2624	1268	cmd.exe	35
PID 1268 wrote to memory of 2624	1268	cmd.exe	35
PID 1268 wrote to memory of 2624	1268	cmd.exe	35
PID 1268 wrote to memory of 2672	1268	cmd.exe	36
PID 1268 wrote to memory of 2672	1268	cmd.exe	36
PID 1268 wrote to memory of 2672	1268	cmd.exe	36
PID 1268 wrote to memory of 2672	1268	cmd.exe	36
PID 1268 wrote to memory of 2744	1268	cmd.exe	37
PID 1268 wrote to memory of 2744	1268	cmd.exe	37
PID 1268 wrote to memory of 2744	1268	cmd.exe	37
PID 1268 wrote to memory of 2744	1268	cmd.exe	37
PID 1268 wrote to memory of 2816	1268	cmd.exe	38
PID 1268 wrote to memory of 2816	1268	cmd.exe	38
PID 1268 wrote to memory of 2816	1268	cmd.exe	38
PID 1268 wrote to memory of 2816	1268	cmd.exe	38
PID 1268 wrote to memory of 2540	1268	cmd.exe	39
PID 1268 wrote to memory of 2540	1268	cmd.exe	39
PID 1268 wrote to memory of 2540	1268	cmd.exe	39
PID 1268 wrote to memory of 2540	1268	cmd.exe	39
PID 1268 wrote to memory of 2568	1268	cmd.exe	40
PID 1268 wrote to memory of 2568	1268	cmd.exe	40
PID 1268 wrote to memory of 2568	1268	cmd.exe	40
PID 1268 wrote to memory of 2568	1268	cmd.exe	40
PID 1268 wrote to memory of 2620	1268	cmd.exe	41
PID 1268 wrote to memory of 2620	1268	cmd.exe	41
PID 1268 wrote to memory of 2620	1268	cmd.exe	41
PID 1268 wrote to memory of 2620	1268	cmd.exe	41
PID 2568 wrote to memory of 2856	2568	Voyuer.pif	42
PID 2568 wrote to memory of 2856	2568	Voyuer.pif	42
PID 2568 wrote to memory of 2856	2568	Voyuer.pif	42
PID 2568 wrote to memory of 2856	2568	Voyuer.pif	42
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 2568 wrote to memory of 688	2568	Voyuer.pif	45
PID 688 wrote to memory of 2892	688	Voyuer.pif	46
PID 688 wrote to memory of 2892	688	Voyuer.pif	46
PID 688 wrote to memory of 2892	688	Voyuer.pif	46
PID 688 wrote to memory of 2892	688	Voyuer.pif	46
PID 688 wrote to memory of 2892	688	Voyuer.pif	46
PID 688 wrote to memory of 2892	688	Voyuer.pif	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Killing Killing.bat & Killing.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3036
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3044
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 10518
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "BATHROOMSOFTENPAYCOMMERCIAL" Socket
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Cherry + ..\Delegation + ..\Uniprotkb + ..\Explains + ..\Www + ..\Victor c
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
      Voyuer.pif c
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
        
        C:\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer Protected Mode
        Modifies Internet Explorer Protected Mode Banner
        Modifies Internet Explorer settings
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\system32\dllhost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url" & echo URL="C:\Users\Admin\AppData\Local\QuantumCom Innovations Ltd\QuantumLink.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumLink.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10518\c

Filesize
412KB

MD5
0a40d3e8ce3acaf75c3869e63d06bac7

SHA1
e49a22c125982fba56a87f0b0b445893c33f4a96

SHA256
745fd43e4d459c6f24baa00482a5981581b89fe019a0de4ec63ab124ca74f410

SHA512
5fb0ab3586eaeddb7671509aab049004aa5a1ac3e2a38f78cad1ea5a157d4de518ad544e6423036799456141d2d902331e1c6d562b2457cd35c433fe7f1620e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0B414E85B1F052A486695C94A1B0D47

Filesize
1.0MB

MD5
9b990bb6a27b497a1a19b8665b02b557

SHA1
6118853f672139bde9972d26a0045389c8ae8733

SHA256
6f2c63f929acd8918c8f21f6141d1b13ca35a2b291d2d8d66771c80f481aea49

SHA512
2015335dd9db06512e57ab44a8b48ef2672e515c6edfb4024431d531d6d64d97e0ab98cf6cf7259512b0497e6acfd3415ed1399f62bcd4145cee607b10e79eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cherry

Filesize
84KB

MD5
4950c42897e4b4be654bf6a0d6ad1874

SHA1
0f38103d753e0c7d29b290b1b3b47c855d9e1cf7

SHA256
83d0683945dcf8275e79d63424f3cf793820b9437a41e239d2bc758e25473110

SHA512
101342a4cc2f877177d85e697162a2f15dd8c41534401e4e6952234c4ee0882a57bfbea99db9ecbc7e3ce9e2dcda24269e90323fb82b7a34f39824606c54fca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Delegation

Filesize
96KB

MD5
e82a72cae193b8525a968245fe8934cc

SHA1
ecf3f5f44da5329ccd4b463b10ed94ec01931e52

SHA256
3d701ea1ddc78f91919e733b8e8992c708a43b40dd58ce46e0500a6684456b06

SHA512
a8915aaae461398540faee25918a9f7936c67d546c8701d6dba23ab0e2225a49d5a493e306f45d36c98429981652ec1243bea54253051bd2ddf5016853b560bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diseases

Filesize
867KB

MD5
d857861493ebefa86a1e73c6df657e94

SHA1
fee325dcc7cc239bc0ccb891d6f1fba217773bd0

SHA256
d1812729d79680d65002aab3836d732f5ebdff0468d134654406a085cccc7be6

SHA512
4ea7dcde9fa38491755871cbc046b71d102df7a19cf13d1a7f0464cafab0c65acacd6697fdd515a75590d30f148854cc35679f722e4ba8f4a165619886608305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explains

Filesize
70KB

MD5
d32cbd96f1a1a04ddcc9a1a208fb81e5

SHA1
c615142b35fa027f477cda7a31a5983fc27c7435

SHA256
603230f8180f5d1d68621254976467acef4eaed5dd4193aa6c03f7384ad27dd1

SHA512
2fad9b6551565d458f1bd0f5d7a65e9796e61392460f1468a76329f81bd96855f95daa31a490e2b86af2e265623d4c9f7f35a0df9f271dd7c03a612feb47c6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killing

Filesize
11KB

MD5
632076e43ff6f1c2ec3fc59d2ac115c5

SHA1
84567549ca5422d2c16b1d34a310fbe75b25ef08

SHA256
432a473f21a57610df93773a79ae94365d6c2b6aa1555123bfdd658a6f28cf2f

SHA512
ebb9364fd541a27af4065690193436ddd951440135f67e45e51c0650baf8ee198712208f7ed46d8a3c475b2345f33eaa76880d76dde1babaf1c0239bab71148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Socket

Filesize
5KB

MD5
ab55fc08eaef2f50565980b99511f625

SHA1
fa950698e02f3d56378c451e0d85ef4300e056e8

SHA256
5b4799ea6f20b4b5cf53a328e52a7ed1982e0c1a797ceed9f8a05d89985ba3bc

SHA512
a6cc5e049537810a9ef18ad052efbaf44a81a15ee4ef8bd1bacd9814ab7b3e1e9abd1c23fafc914f4a57281f2f0f0a318a624ee026f6e5d779dd34e730fe98ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uniprotkb

Filesize
71KB

MD5
69d07759583afa982405cedf0b879b8e

SHA1
89ede2ba195dd80766efb53b801b20c76ad2584e

SHA256
2b3f63621c8ae1eb1bc3dfc4683ec983277ac17aea03acecebc54969a723ab72

SHA512
1c34cd98fb182d8a77f3e69d0e3cee856a359ec20e70f92985c6e04f40248b7543a129ce3212690fc3776d3ba0edb2e8b2d7d0186da87161a1d5e5d6a6f68ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Victor

Filesize
16KB

MD5
c823e5a74879da9cbff89361425b11b3

SHA1
44c18751a84ab6b9f700f0307e12192dba18e860

SHA256
7b39896a8d5a68e5f3da8ec64f9ceab3f533d05fdb18754db5b0a48ed308341b

SHA512
6bb0659187053c3a29ad7d9bead2bd48cbc240c02cf867427724bce7e2249dc1d315f43610c5f5cc30c131bbfb3d2294e2fdad58ac077044545db5a160d6c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Www

Filesize
75KB

MD5
d7db0c4f504d819de277753119685589

SHA1
1f0ba5806397f008569baf6f45cda258aaa5f5e0

SHA256
aaf0659f2bff006009684c04963ce6b4fd996fc341c96e1db85ce9ea5332dab4

SHA512
a8cc6e3b940396f410ae0579c3c246b8e2422f07a7c93e3e5ee468960f0b7c413edf12c53f103399fe6e594e04dde147c7082236fac3e2a53add390e8b00b3f8

Download Submit
\Users\Admin\AppData\Local\Temp\10518\Voyuer.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/688-34-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/688-35-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/688-37-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2892-40-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2892-41-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2892-43-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download
memory/2892-50-0x0000000000080000-0x00000000000B7000-memory.dmp

Filesize
220KB

Download