6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Size

457KB
MD5

e3d480a39eacd6bb9656520c5bb779b2
SHA1

532c5cc229e3d76528455a855d3b3c7d4eae2b13
SHA256

6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0
SHA512

9a4b19b80e5e85811a6fd1e1e6d35c330347d6b87de85e94ffa77ebabe9bfd59e2f6d0cbea2c88eebbcf9c227cd01909b51bbba20af3af481bd1826025eb9c09
SSDEEP

6144:9bpGtfoVtScw2RCgrzItQB0bpGtfoVtScw2RCgrzItQBUbpGtfoT:TGtAtScw3qEKBWGtAtScw3qEKB2Gt2

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	VFWF.EXE

Loads dropped DLL 2 IoCs

pid	Process
740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VFWF.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\EDFP.EXE \"%1\" %*"	VFWF.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XCJT.EXE = "C:\\Program Files\\XCJT.EXE"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	VFWF.EXE
File opened (read-only)	\??\V:	VFWF.EXE
File opened (read-only)	\??\I:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\L:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\N:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\G:	VFWF.EXE
File opened (read-only)	\??\N:	VFWF.EXE
File opened (read-only)	\??\O:	VFWF.EXE
File opened (read-only)	\??\E:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\P:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\L:	VFWF.EXE
File opened (read-only)	\??\Q:	VFWF.EXE
File opened (read-only)	\??\U:	VFWF.EXE
File opened (read-only)	\??\J:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\U:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\E:	VFWF.EXE
File opened (read-only)	\??\R:	VFWF.EXE
File opened (read-only)	\??\Q:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\J:	VFWF.EXE
File opened (read-only)	\??\S:	VFWF.EXE
File opened (read-only)	\??\H:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\K:	VFWF.EXE
File opened (read-only)	\??\K:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\S:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\I:	VFWF.EXE
File opened (read-only)	\??\M:	VFWF.EXE
File opened (read-only)	\??\T:	VFWF.EXE
File opened (read-only)	\??\M:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\T:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\G:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\O:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\R:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\V:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\H:	VFWF.EXE

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/740-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/files/0x00060000000186f8-10.dat	upx
behavioral1/files/0x000f000000013a51-20.dat	upx
behavioral1/memory/740-26-0x0000000002EF0000-0x0000000002F5E000-memory.dmp	upx
behavioral1/memory/740-30-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-32-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-33-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-38-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-39-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-40-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-41-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-42-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-44-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-45-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-46-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/memory/1980-47-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\XCJT.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened for modification	C:\Program Files\XCJT.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File created	C:\Program Files\EDFP.EXE	VFWF.EXE
File created	C:\Program Files\VFWF.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File created	C:\Program Files\MXAAE.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\QQGJYKD.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File created	C:\Windows\QQGJYKD.EXE	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VFWF.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	VFWF.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\QQGJYKD.EXE \"%1\""	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\XCJT.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\XCJT.EXE \"%1\""	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\XCJT.EXE \"%1\" %*"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\EDFP.EXE \"%1\" %*"	VFWF.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Windows\\QQGJYKD.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\QQGJYKD.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1980	VFWF.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1980	740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	31
PID 740 wrote to memory of 1980	740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	31
PID 740 wrote to memory of 1980	740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	31
PID 740 wrote to memory of 1980	740	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	31

C:\Users\Admin\AppData\Local\Temp\6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
"C:\Users\Admin\AppData\Local\Temp\6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- C:\Program Files\VFWF.EXE
  "C:\Program Files\VFWF.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\QQGJYKD.EXE

Filesize
458KB

MD5
e7d926b4452c7d10d64f4e79da9cf37a

SHA1
c16a74603bd4f29d67ca052f4d198b53f5d481b7

SHA256
1c4a715dc9c3d5111bd6a686a12e0914a115f6bf004bc674d90813756a0428a8

SHA512
1ccc3a95fc163e506c7ab0ca4b20f4397ab607f849b4c71c5a5e2ba16ad3992bbee1aebd2684fe3e331526e85655c65d5dda73071a5379df15303bf9b51f280d

Download Submit
C:\filedebug

Filesize
235B

MD5
c07e5a7f5166ca0007476538c6de1aab

SHA1
e56c9262af8caa458b6e1fc569e3cacc95f00b4c

SHA256
e42b93daa8c5a6a96eca17f4c488466a94ab9ef49c7d9f7040beca0275915cc2

SHA512
71c225b3c50176954121606c7447b7e7eb0634bab188f4734ab4617b93674e4fe9cdee073dd1b0b4c2be63ba3191c6cd569d09a2ff81671c6916ddcbed784d47

Download Submit
\??\c:\filedebug

Filesize
262B

MD5
2fdee501098fce07ec5f8fb0d037d077

SHA1
d4a58f06759a0f70e9b1fae6a055c8dd23b55d60

SHA256
b0f36638af6b5353bd6b9fc3aac218c48d78eb976cda125a776196e150244169

SHA512
cd86143d493ac6df30ea9ef00ea1a5a94e4aa54e12a778ee79f0ae0467dc8abbafd3fd9c9fec0ba8eb37e743c7c4a74ae34f7ec0e0cab5cb526d00f20d288ddb

Download Submit
\Program Files\VFWF.EXE

Filesize
458KB

MD5
b129b7d311bbb5bb464017fa83e0ee47

SHA1
1a597b3c42ef1062ace0e609011b25dfded307bd

SHA256
cb4fa74f4919d3549e97c16bfa4f075d1c4121f770b89fca5af76ab68bb3fa14

SHA512
c891d31a69762c8e72c63ee823ab7aa49b0fae13d693e16c4171fe2bf500d852a6a2531166e271cbdc00750bf94399e0ae329b6fca02ddb354522bf4b11929c8

Download Submit
memory/740-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/740-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/740-27-0x0000000002EF0000-0x0000000002F5E000-memory.dmp

Filesize
440KB

Download
memory/740-26-0x0000000002EF0000-0x0000000002F5E000-memory.dmp

Filesize
440KB

Download
memory/740-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/740-31-0x0000000002EF0000-0x0000000002F5E000-memory.dmp

Filesize
440KB

Download
memory/1980-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-41-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1980-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads