Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 23:26
Static task
static1
Behavioral task
behavioral1
Sample
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
Resource
win10v2004-20241007-en
General
-
Target
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe
-
Size
198KB
-
MD5
2f17895be3b294a645e1553340c98535
-
SHA1
58b51f05c8f36ae43f9732234934e0d926e82380
-
SHA256
1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629
-
SHA512
2f827224a7b8225d9c083cb6dea892ad90c9092260f1f21fe2ebfe9f339978bb69dd3bc011435784302a67e3ac6d01e5a3e656e840e8b728ceec0131f4edef95
-
SSDEEP
3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3940 vprcgbn.exe -
Executes dropped EXE 2 IoCs
pid Process 3940 vprcgbn.exe 4444 qtoss.exe -
Loads dropped DLL 1 IoCs
pid Process 4444 qtoss.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Depend = "c:\\Program Files\\jxhxpruyk\\qtoss.exe \"c:\\Program Files\\jxhxpruyk\\qtoss.dll\",Compliance" qtoss.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: qtoss.exe File opened (read-only) \??\x: qtoss.exe File opened (read-only) \??\u: qtoss.exe File opened (read-only) \??\v: qtoss.exe File opened (read-only) \??\z: qtoss.exe File opened (read-only) \??\a: qtoss.exe File opened (read-only) \??\b: qtoss.exe File opened (read-only) \??\p: qtoss.exe File opened (read-only) \??\q: qtoss.exe File opened (read-only) \??\k: qtoss.exe File opened (read-only) \??\m: qtoss.exe File opened (read-only) \??\n: qtoss.exe File opened (read-only) \??\t: qtoss.exe File opened (read-only) \??\e: qtoss.exe File opened (read-only) \??\g: qtoss.exe File opened (read-only) \??\i: qtoss.exe File opened (read-only) \??\j: qtoss.exe File opened (read-only) \??\w: qtoss.exe File opened (read-only) \??\y: qtoss.exe File opened (read-only) \??\h: qtoss.exe File opened (read-only) \??\l: qtoss.exe File opened (read-only) \??\o: qtoss.exe File opened (read-only) \??\r: qtoss.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 qtoss.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\jxhxpruyk vprcgbn.exe File created \??\c:\Program Files\jxhxpruyk\qtoss.dll vprcgbn.exe File created \??\c:\Program Files\jxhxpruyk\qtoss.exe vprcgbn.exe File opened for modification \??\c:\Program Files\jxhxpruyk\qtoss.exe vprcgbn.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vprcgbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qtoss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2812 cmd.exe 4160 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qtoss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString qtoss.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4160 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4444 qtoss.exe 4444 qtoss.exe 4444 qtoss.exe 4444 qtoss.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4444 qtoss.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4928 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 3940 vprcgbn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4928 wrote to memory of 2812 4928 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 86 PID 4928 wrote to memory of 2812 4928 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 86 PID 4928 wrote to memory of 2812 4928 1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe 86 PID 2812 wrote to memory of 4160 2812 cmd.exe 89 PID 2812 wrote to memory of 4160 2812 cmd.exe 89 PID 2812 wrote to memory of 4160 2812 cmd.exe 89 PID 2812 wrote to memory of 3940 2812 cmd.exe 90 PID 2812 wrote to memory of 3940 2812 cmd.exe 90 PID 2812 wrote to memory of 3940 2812 cmd.exe 90 PID 3940 wrote to memory of 4444 3940 vprcgbn.exe 91 PID 3940 wrote to memory of 4444 3940 vprcgbn.exe 91 PID 3940 wrote to memory of 4444 3940 vprcgbn.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\vprcgbn.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4160
-
-
C:\Users\Admin\AppData\Local\Temp\vprcgbn.exeC:\Users\Admin\AppData\Local\Temp\\vprcgbn.exe "C:\Users\Admin\AppData\Local\Temp\1c38ff14e729cc1738c016c89a52a3dc885f3b6fc39385fcfb87ad82af9fc629.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\Program Files\jxhxpruyk\qtoss.exe"c:\Program Files\jxhxpruyk\qtoss.exe" "c:\Program Files\jxhxpruyk\qtoss.dll",Compliance C:\Users\Admin\AppData\Local\Temp\vprcgbn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
198KB
MD552872d20f6b8abc5d65ccf20140e8af2
SHA129dd0ee2d6e917338c8501817173f9a45e6123f0
SHA2566a8c7fcc16dd9b59169928ef9f36bd9bb151fd939cd2370bfeb621cb7888ab36
SHA51215e90c3930343b96cab5ad5622b8cbc0647e036e9597edd467b4adef9d7dbd7b346b60e3b8fec8df8f5307b8f2c2d945a1e3b4be9703cdb0e02dabe3b56e4d8c
-
Filesize
141KB
MD582b79496aef51793075a5578d257ff3e
SHA18a489fc76ea3189407cc22608698c538efe031d0
SHA256bfad21709f945a68401deb0e1422f9a0e1f098d032b01f6ae3743ad9495d0ac6
SHA5126623be3ae84f33b85a1d94cd2b2c5c3436965cf830fea2d098138a84e42c3069eaef5deeb70e1f963d42e19e0d17498787aadf87b3b1ce74ca09f4528d02de66