7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0

Analysis

max time kernel
121s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
Size

74.6MB
MD5

9da756b8c4da6eeca72850a15c657698
SHA1

716b1b67089b97f1a5bed77ac653d419b3275839
SHA256

7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0
SHA512

17538f01565dc173e8162bef3aec9ce03c182865b3198b56564841c2b9ce99aa2247dfafa713228f2ff392570892c743cae40e3e80f2d9f9a796d958a8738e3e
SSDEEP

1572864:uHTWBlECjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:AME+9unkRxDw/Mf/pBGRj5

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	QQSetupEx.exe
1572	win32-67-quickq.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	QQSetupEx.exe
1572	win32-67-quickq.exe
1572	win32-67-quickq.exe
1572	win32-67-quickq.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1084-5-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-6-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-4-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-3-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-2-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-1-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral1/memory/1084-15-0x0000000180000000-0x00000001801C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQSetupEx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-67-quickq.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2652	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1572	win32-67-quickq.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2760	mmc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
Token: 33	2776	mmc.exe
Token: SeIncBasePriorityPrivilege	2776	mmc.exe
Token: 33	2776	mmc.exe
Token: SeIncBasePriorityPrivilege	2776	mmc.exe
Token: 33	2760	mmc.exe
Token: SeIncBasePriorityPrivilege	2760	mmc.exe
Token: 33	2760	mmc.exe
Token: SeIncBasePriorityPrivilege	2760	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
2776	mmc.exe
2776	mmc.exe
2760	mmc.exe
2760	mmc.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 740	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	30
PID 1084 wrote to memory of 740	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	30
PID 1084 wrote to memory of 740	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	30
PID 740 wrote to memory of 2652	740	cmd.exe	32
PID 740 wrote to memory of 2652	740	cmd.exe	32
PID 740 wrote to memory of 2652	740	cmd.exe	32
PID 1084 wrote to memory of 2924	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	33
PID 1084 wrote to memory of 2924	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	33
PID 1084 wrote to memory of 2924	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	33
PID 1084 wrote to memory of 2972	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	35
PID 1084 wrote to memory of 2972	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	35
PID 1084 wrote to memory of 2972	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	35
PID 2972 wrote to memory of 2992	2972	cmd.exe	37
PID 2972 wrote to memory of 2992	2972	cmd.exe	37
PID 2972 wrote to memory of 2992	2972	cmd.exe	37
PID 2972 wrote to memory of 2964	2972	cmd.exe	38
PID 2972 wrote to memory of 2964	2972	cmd.exe	38
PID 2972 wrote to memory of 2964	2972	cmd.exe	38
PID 2972 wrote to memory of 2940	2972	cmd.exe	39
PID 2972 wrote to memory of 2940	2972	cmd.exe	39
PID 2972 wrote to memory of 2940	2972	cmd.exe	39
PID 1084 wrote to memory of 2164	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	40
PID 1084 wrote to memory of 2164	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	40
PID 1084 wrote to memory of 2164	1084	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	40
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2776 wrote to memory of 2900	2776	mmc.exe	43
PID 2760 wrote to memory of 1572	2760	mmc.exe	45
PID 2760 wrote to memory of 1572	2760	mmc.exe	45
PID 2760 wrote to memory of 1572	2760	mmc.exe	45
PID 2760 wrote to memory of 1572	2760	mmc.exe	45

C:\Users\Admin\AppData\Local\Temp\7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
"C:\Users\Admin\AppData\Local\Temp\7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2652
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\28O68.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\YtUs6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2992
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2964
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0rhRY\QbG96@m7\v+C:\ProgramData\0rhRY\QbG96@m7\b C:\ProgramData\0rhRY\QbG96@m7\arkHttpClient.dll
  2⤵
  PID:2164

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\ProgramData\0rhRY\QbG96@m7\QQSetupEx.exe
  "C:\ProgramData\0rhRY\QbG96@m7\QQSetupEx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2900

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\ProgramData\win32-67-quickq.exe
  "C:\ProgramData\win32-67-quickq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\0rhRY\QbG96@m7\PX.txt

Filesize
179KB

MD5
23194553935d876ece4c81dd5cb11e87

SHA1
a535112437a498578392e7ee7c01fa6d3f71d30b

SHA256
63d42c8233efd52599b676106192592b9d29f08e20a824805bf63536c6af9b0b

SHA512
433f93d51c5a8acc363f1ea1dfaa92ce1e1a858b18a2d5cb6c06a936fb1021b5a260bac702b6381c9ec4d562142f3c35e0ca638e8c32113ac9b4f149be1151e4

Download Submit
C:\ProgramData\0rhRY\QbG96@m7\QQSetupEx.exe

Filesize
446KB

MD5
9efa9e12deac9f6fa48bc031e4300dad

SHA1
7870326380768cf2cf9114c5d5b8b61fd5fba616

SHA256
1849ecf1956e8b01949ba5eac8ef1255cfcdb62be43dc0d574d2ea3dc1c8eee8

SHA512
3de2c0d96cf4fd7312b872c9c9f135a022daa11a9e5c7c924137c9bd4c0e787ff9492b6164288635bfa9d39dc49e04a5b1bb67501fc56d2422d9da95218eaf40

Download Submit
C:\ProgramData\0rhRY\QbG96@m7\arkHTTPClient.dll

Filesize
1.7MB

MD5
301171d2cb6495caffe263d242ee3669

SHA1
f051c8af5294528d11dc9e1f7e70b48cf82d8acd

SHA256
990b71b2b95f0654b5fa66803d76fbaf7c8ec9e0e92d5b9b6bb93bc5cf385a90

SHA512
3a99ddfd5ae5a3087074a15c77a4d6041d4fae654259a64f7a201b755566d37120fdd210ccfe2f80bbe3c78222abd235366c18aa027418eae2332b3682096581

Download Submit
C:\ProgramData\0rhRY\QbG96@m7\b

Filesize
883KB

MD5
a4b0f0235f902ae7ef9b2a31a367e001

SHA1
b5be8f51f99cabe8dd25b623a54b5d3d8054490c

SHA256
ae7fb543e8f8e375298387588c2976d1cf5b036697bf2ff6405d5ea27a1d1732

SHA512
d32f5b3aa7d7c68e38461fe160984499b067dd88a58c7ba67069a0b5d9ffce84bf50f74028fba3ab1271bd5a74e949280f0ad70a7546d8901b077aba8e88e4ee

Download Submit
C:\ProgramData\0rhRY\QbG96@m7\v

Filesize
883KB

MD5
d8cfdfcff639195051448175c497ccc6

SHA1
b7ce149e8f2968fb85398e9fa1713246abe0ba2f

SHA256
760859d557901c42cc7c8620d1b9ccd26fd61502d44b8d2ffc3b75a8b0174c2e

SHA512
e563cb7435853f52475683e17f50c25fc54e539b6cd3eaaccc8e6cf4e0de0959588e46225c949d014e9558fef1d426004b5954f5e3b5a8a171d957d8a893eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu1585.tmp\ioSpecial.ini

Filesize
679B

MD5
4e270dae828a4760ac81bd7c227f46ea

SHA1
ace4f8fd683dcf475690b901fa5c03306a8ed5c2

SHA256
156dcf62dd1e522b8bbbd30e2edf26c21a867fe71c8a32c49b0318730abf4197

SHA512
c50d481973d5e4e7e0c379f27364cfcfda3fdac5753be50b83ec3c20ad6dcf30d309161ad171c5eab8c22aeb0083c4a494fe601297a5bae37c29ba9ae4476f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu1585.tmp\ioSpecial.ini

Filesize
718B

MD5
5cfa7001b56814fc16f41b0ce41ac814

SHA1
dd8d8cd185848418172b6385c820119f97bcbd42

SHA256
f5a66b21531cb87b04d7fe496df635a4f4432f4abfeba5732a9f40ea68c4c96a

SHA512
c0e921eb9165be3eff9d51338c209d264e0f7c9234db6769a147146637f6016d6f0c63f81d2c5b46c7d3cf0766308cf69b35b66bcd6c340e1c0e63a82c618d48

Download Submit
C:\Users\Admin\AppData\Roaming\YtUs6.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1585.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1585.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
\Users\Admin\AppData\Local\Temp\nsu1585.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/1084-5-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-6-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-4-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-3-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-2-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-1-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/1084-15-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/2900-26-0x0000000000640000-0x00000000006A9000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads