Overview
overview
7Static
static
3SecuriteIn...07.exe
windows7-x64
7SecuriteIn...07.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3dqwhj_errwd.exe
windows7-x64
3dqwhj_errwd.exe
windows10-2004-x64
3iconAnimate.exe
windows7-x64
3iconAnimate.exe
windows10-2004-x64
3iconTips.exe
windows7-x64
3iconTips.exe
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.6479.21607.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileRepMalware.6479.21607.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
dqwhj_errwd.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
dqwhj_errwd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
iconAnimate.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
iconAnimate.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
iconTips.exe
Resource
win7-20241023-en
Behavioral task
behavioral16
Sample
iconTips.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
uninst.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
uninst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
General
-
Target
SecuriteInfo.com.FileRepMalware.6479.21607.exe
-
Size
1.6MB
-
MD5
5e96050ed8827efeb9c90d59ce708f10
-
SHA1
83dca0d791cfaeca7fe8ad68fed370c37ef48ce1
-
SHA256
0a9157f45b50d30bc4ba535bf2e5ee8a447870edaf887ba7e7fe011e4081d075
-
SHA512
7fe2d4986f2331eb2d780f3326bba9dfeff8f773094bf1eb08c4ac601bc0579c9649c1f0646bde1043202d2261914f649ea7fa8fa2c8ee5ac370a880071fdb37
-
SSDEEP
24576:G1cfyJ8m1Z79b6BMxWcrJfO/RIweCJK3VmmsPEq9lDBff3hVYpPGf69tC:wrz1Z7YBkWcpO/RTrD9lNffxVY2m8
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 5004 dqwhj_errwd.exe 4780 dqwhj_errwd.exe -
Loads dropped DLL 7 IoCs
pid Process 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 dqwhj_errwd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.FileRepMalware.6479.21607.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dqwhj_errwd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dqwhj_errwd.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 5004 dqwhj_errwd.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4780 dqwhj_errwd.exe 4780 dqwhj_errwd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 408 wrote to memory of 5004 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 84 PID 408 wrote to memory of 5004 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 84 PID 408 wrote to memory of 5004 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 84 PID 408 wrote to memory of 4780 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 104 PID 408 wrote to memory of 4780 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 104 PID 408 wrote to memory of 4780 408 SecuriteInfo.com.FileRepMalware.6479.21607.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.6479.21607.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /setupsucc2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5004
-
-
C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe"C:\Users\Admin\AppData\Roaming\mk-jzcq\dqwhj_errwd.exe" /autorun /setuprun2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58614c450637267afacad1645e23ba24a
SHA1e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2
SHA2560fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758
SHA512af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
412B
MD52c50cf60647cb651d7828f8aa66c0b68
SHA1aa3ba89fc7adc865a13169d6449443ee63dfd910
SHA2567549fdb2859a659368e06fe95abb06fdbc91ec3dafd6c062bff8b67317db6eb4
SHA51246e3256a785ff494b375062ebe4543fd9ded68b34928f71812b1742bb25f3a153335646e4bd547f19c128c48a1a98dda336e1e8c759140c708be8019a0168769
-
Filesize
1.4MB
MD575a7cc387d1e24de8ba1275e81a840d1
SHA18a21d186efb66be5db46925518e0b70861bf6dab
SHA256d5c4461055dfdd7d755400207bebacdfe0cc880f7b6c742409e07afd24515bfc
SHA512550de9d37a27fa93d0869b1ff02a55bfbc49b20871b59b85513b03d4664a1c34350764aada6a23a13f56e7f6e4eb5a4dc6d06fde761713edd1c9cbbbcb5de158
-
Filesize
361B
MD5bd3d2a63852000b334df43694b413842
SHA1c2352468953156292e7e1a3ec8f3fb007ca008b8
SHA2560e44d0f71caaada342fc0785f8cfc1adda2a7d7c939c7b62bc3c64bc56d06b19
SHA512463efc29f6f9cf87ae155e5b9c7b59130a153f6d0598d2a06fcbf51c4098743ae03de531cd53a54ccac9be0ae164a0537cff7e1377b62cbf60ec2a7c065bcb08