Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 23:25

General

  • Target

    QISFJPGM_ARBIF.scr

  • Size

    2.7MB

  • MD5

    297d2bd9dd5c1564226782d263fa3818

  • SHA1

    619df94b29f9515d793a8e649f7c190f310cb3d7

  • SHA256

    6a6c4d018027348d7269631f8b40eb5462fd3ad61efdb7337a32ba5dbc82f11c

  • SHA512

    36f2406e0f1deec208dc31a8b21755523eb786865ec9e7ddc03505dd4e54adbbd7d26e460ad292f41f0d74bfbb68777b616c201edf0581eecd1c73b783f9023a

  • SSDEEP

    49152:bXz+x0ii0ZyT4BpIlFEFG93v4cVvn0o280hOHFSDkCZx/Nf8r+qBk/q8RZQNk2q9:bXz+OAmys/4cV8o28QOlSDkCD/s+i2jd

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 43 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Control Panel 3 IoCs
  • Modifies registry class 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QISFJPGM_ARBIF.scr
    "C:\Users\Admin\AppData\Local\Temp\QISFJPGM_ARBIF.scr" /S
    1⤵
    • Checks computer location settings
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
      "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
        "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c mmm.bat
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4312
    • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe
      "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe
        "C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe"
        3⤵
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\mmm.bat

    Filesize

    17B

    MD5

    bf55292f19b02c6dd1934f2ea2c6ae9d

    SHA1

    0dc0e99b63b557bd0eef88422a98bdd944bc0d86

    SHA256

    0a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e

    SHA512

    e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500

  • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe

    Filesize

    3.6MB

    MD5

    ec02d8bc24e6f37321a5b013e4f70faf

    SHA1

    3c5ef89563cb851d116bff6e123a2399c2ba200b

    SHA256

    9b4fff7c8f19f382b96711491cedc96a08c22264fb63edd740f8c841e375f04b

    SHA512

    998625680851251f106ec5e5ce227f8ef78c753933c13417b4762f7d7987cfe1097b5ea160b3b7d76da0e7e5dd232f5916e96dcbae1103cf0ba31101a57a140b

  • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\ufr_reports\NO_PWDS_report_29-10-2024_23-25-25-A3C533590EF2311EE9B53A58957F0C8A-FDHO.bin

    Filesize

    1KB

    MD5

    804bd143f1f47ede1f53d16779406f0c

    SHA1

    84de17a0e15e920b6f61fc71c5a82e4b41ebc121

    SHA256

    933cc90f72fb2ab555ffcdec4c074190a3400038e3b84daf67922af16935a8e2

    SHA512

    0a991bce08befb6ce8f969b500746f5055288dcc7c497c06d1f2be4f6e13da02ce8e12fb63183440c69e4e8ce5774740a79d6add28848c41c5599cf8195e9914

  • C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_mur.exe

    Filesize

    2.9MB

    MD5

    f67e28cded725e67d055ecb7e4bbc620

    SHA1

    2295f98d3bc38b4a0d89dabf240d30d8a4bc07ba

    SHA256

    627fdbd3d19ae2a7b3900d455d7619f6787762e76dc5f8028c9aac5ea4a7a3f7

    SHA512

    60c0afb69036bcd56d6b1df52e808a1017841651d668e6d301c1ef9f0f0cf9856c981a4d41b1ad137b2b6679c8d274973b77a0fa287ffe996467659880c849d1

  • C:\ProgramData\TEMP\RAIDTest

    Filesize

    4B

    MD5

    c2f09542b6c7daf4288f3524c8cebb18

    SHA1

    9430b21baf07f0d105b9ee5fdd9f868418454517

    SHA256

    55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

    SHA512

    dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

  • C:\Users\Admin\AppData\Local\winrar.rar

    Filesize

    53KB

    MD5

    18aa8c33f1709dfd63483d2f72c571c2

    SHA1

    3026b5a43b805bdeadf88f191dbedd459037395e

    SHA256

    bb31365adc675a4b89f20af3e71a9f987e292b71f428ab1e01a0405e3fa8ec01

    SHA512

    0ceab961862a70fe21b8d42d9ab922156117226424db5ed8c73c939fe0930aa46d745098d119f72c3e98434abea407c2381a2b3bb1147e7b776d2b9824ea5bd8

  • C:\Users\Admin\AppData\Local\winrar.rar

    Filesize

    52KB

    MD5

    a05a2738ea9c40a47a1b143e07a2e1e2

    SHA1

    0fd67aa8da9dc53b59c727bc4e871f56556c77b6

    SHA256

    cc37164df4b514a1b7c2b397cd865cf98fe5473c97ed5fb794ae8e5642b7f9cb

    SHA512

    f387cd663d8784d044002fa217e570c56771791cc1424d6afaf3a166c3e57832b87787e48f6ea5623f455611c759443dd21654c067722452caaed64eb1c5316e

  • memory/1148-41-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB

  • memory/1148-47-0x0000000003810000-0x0000000003A14000-memory.dmp

    Filesize

    2.0MB

  • memory/1148-71-0x0000000003810000-0x0000000003A14000-memory.dmp

    Filesize

    2.0MB

  • memory/1148-51-0x0000000003810000-0x0000000003A14000-memory.dmp

    Filesize

    2.0MB

  • memory/1148-60-0x0000000003810000-0x0000000003A14000-memory.dmp

    Filesize

    2.0MB

  • memory/1148-57-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB

  • memory/1148-59-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB

  • memory/1148-58-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB

  • memory/2148-74-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/2148-77-0x0000000003200000-0x0000000003404000-memory.dmp

    Filesize

    2.0MB

  • memory/2148-817-0x0000000003200000-0x0000000003404000-memory.dmp

    Filesize

    2.0MB

  • memory/2148-40-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/2148-75-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/2148-76-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/2148-46-0x0000000003200000-0x0000000003404000-memory.dmp

    Filesize

    2.0MB

  • memory/2148-42-0x0000000003200000-0x0000000003404000-memory.dmp

    Filesize

    2.0MB

  • memory/2148-78-0x0000000003200000-0x0000000003404000-memory.dmp

    Filesize

    2.0MB

  • memory/3984-32-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/4696-818-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/4696-29-0x0000000000400000-0x000000000082D000-memory.dmp

    Filesize

    4.2MB

  • memory/5060-33-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB

  • memory/5060-72-0x0000000000400000-0x000000000077C000-memory.dmp

    Filesize

    3.5MB