Overview
overview
7Static
static
3SecuriteIn...07.exe
windows7-x64
7SecuriteIn...07.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3dqwhj_errwd.exe
windows7-x64
3dqwhj_errwd.exe
windows10-2004-x64
3iconAnimate.exe
windows7-x64
3iconAnimate.exe
windows10-2004-x64
3iconTips.exe
windows7-x64
3iconTips.exe
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.6479.21607.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileRepMalware.6479.21607.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
dqwhj_errwd.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
dqwhj_errwd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
iconAnimate.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
iconAnimate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
iconTips.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
iconTips.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
uninst.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
uninst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
General
-
Target
SecuriteInfo.com.FileRepMalware.6479.21607.exe
-
Size
1.6MB
-
MD5
5e96050ed8827efeb9c90d59ce708f10
-
SHA1
83dca0d791cfaeca7fe8ad68fed370c37ef48ce1
-
SHA256
0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
-
SHA512
7fe2d4986f2331eb2d780f3326bba9dfeff8f773094bf1eb08c4ac601bc0579c9649c1f0646bde1043202d2261914f649ea7fa8fa2c8ee5ac370a880071fdb37
-
SSDEEP
24576:G1cfyJ8m1Z79b6BMxWcrJfO/RIweCJK3VmmsPEq9lDBff3hVYpPGf69tC:wrz1Z7YBkWcpO/RTrD9lNffxVY2m8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2664 dqwhj_errwd.exe 2996 dqwhj_errwd.exe -
Loads dropped DLL 8 IoCs
pid Process 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 dqwhj_errwd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.FileRepMalware.6479.21607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dqwhj_errwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dqwhj_errwd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000019480-32.dat nsis_installer_1 behavioral1/files/0x0007000000019480-32.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main dqwhj_errwd.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2664 dqwhj_errwd.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2996 dqwhj_errwd.exe 2996 dqwhj_errwd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2664 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 30 PID 2880 wrote to memory of 2664 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 30 PID 2880 wrote to memory of 2664 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 30 PID 2880 wrote to memory of 2664 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 30 PID 2880 wrote to memory of 2996 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 33 PID 2880 wrote to memory of 2996 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 33 PID 2880 wrote to memory of 2996 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 33 PID 2880 wrote to memory of 2996 2880 SecuriteInfo.com.FileRepMalware.6479.21607.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
380B
MD504b52176e0386a53a9fade075008b459
SHA1c32a5b7983e25761dae4d88a509b0ddc2af36b37
SHA2568079245d7e2833d3ea60c7dfa378d16a1e69833f4cad1cca8837c5024889ea0d
SHA51299165626e233ea2e76938631ecea4340d965f0b7e25af21b875ae014aed66c795170424db01769bb1d1db5a21f698fe24f7114af3ae912d3abb59b37b1b0038e
-
Filesize
361B
MD5bd3d2a63852000b334df43694b413842
SHA1c2352468953156292e7e1a3ec8f3fb007ca008b8
SHA2560e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19
SHA512463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08
-
Filesize
412B
MD5f140e286c87269088054cd0b5eba4f6f
SHA14d13decb580cac945527e23e02c50ab52c9e8d40
SHA256592a3ba7bcc60ead84cb33157a9bf61762b7e9e605b5743d2c7440a0af1a9225
SHA5125884063c86895e47fbce961609ca8f2122255a86250098ea74e550eb2a7edfa50a340072ae1581d87b33966cded699613e246594098b05b6e7c209983a41b1ac
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
1.4MB
MD575a7cc387d1e24de8ba1275e81a840d1
SHA18a21d186efb66be5db46925518e0b70861bf6dab
SHA256d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc
SHA512550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158
-
Filesize
196KB
MD580b05828a4c0d54e3a3ca2a4cd61492a
SHA1f27df18439239725862d94450d284a4e41e5384b
SHA2569b381dcb55d28fcb668b6f9e4209a7b67c332c5179517fb6ba78fd3f701b8bdc
SHA512b64e6dce7732d57c62236412cc0f4d08bccaef472134a4b905a3cbbb0c0a7b8b49a58bc1660df1b329621b653c333003840e30293077002c48f931b0333542c3