Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-11-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe
Resource
win7-20240903-en
General
-
Target
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe
-
Size
2.0MB
-
MD5
7c42c0289a8ef2395efc1e7925b2d16e
-
SHA1
5b75f9495a791d982e269f3fb4dcac2b95f5138c
-
SHA256
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7
-
SHA512
01e5a6f9a5145e01603c84f772e038b2ee40e45fb4d9b307269b199411fa68127e2443ede7ea30f0c630d2c84090de2c38b75ff8e139a7886e341e82b36750bc
-
SSDEEP
24576:hCIRyPP2GXKWAftKuRz2tgJZA5r5NCLytLSBy/r4/c4W6dVypXkPckF+XM/HU93G:CPBKWO02gSAIW4k4W6fskkkF+SHU932B
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Windows.dll -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Windows.dll -
Executes dropped EXE 6 IoCs
pid Process 2404 Windows.dll 4588 Windows.dll 6004 Windows.dll 13296 Phxph.exe 1604 Phxph.exe 2676 Phxph.exe -
Loads dropped DLL 3 IoCs
pid Process 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phxph.exe Windows.dll File opened for modification C:\Windows\SysWOW64\Phxph.exe Windows.dll -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 2404 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 13296 Phxph.exe 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 6004 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 4588 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll 2404 Windows.dll -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4144 cmd.exe 4280 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4280 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2404 Windows.dll -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4588 Windows.dll Token: SeLoadDriverPrivilege 2404 Windows.dll Token: 33 2404 Windows.dll Token: SeIncBasePriorityPrivilege 2404 Windows.dll -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 2404 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 30 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 4588 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 31 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 2096 wrote to memory of 6004 2096 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 32 PID 4588 wrote to memory of 4144 4588 Windows.dll 36 PID 4588 wrote to memory of 4144 4588 Windows.dll 36 PID 4588 wrote to memory of 4144 4588 Windows.dll 36 PID 4588 wrote to memory of 4144 4588 Windows.dll 36 PID 4144 wrote to memory of 4280 4144 cmd.exe 38 PID 4144 wrote to memory of 4280 4144 cmd.exe 38 PID 4144 wrote to memory of 4280 4144 cmd.exe 38 PID 4144 wrote to memory of 4280 4144 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe"C:\Users\Admin\AppData\Local\Temp\24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Roaming\Windows.dll > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4280
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6004
-
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:13296
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22.1MB
MD544d1ce29474bad8ada3d778af1dac0f3
SHA1319f966cc44529a564f9d5d19e0fb99e0af2ea19
SHA256d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf
SHA512511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025
-
Filesize
1.1MB
MD51144ea1e19cb2a42f7ad2fa04db8e476
SHA12ef6e0f9c5e57305bff6d30080cf68c1d3e101d9
SHA25620569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50
SHA5123df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556