7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0

Analysis

max time kernel
131s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
Size

74.6MB
MD5

9da756b8c4da6eeca72850a15c657698
SHA1

716b1b67089b97f1a5bed77ac653d419b3275839
SHA256

7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0
SHA512

17538f01565dc173e8162bef3aec9ce03c182865b3198b56564841c2b9ce99aa2247dfafa713228f2ff392570892c743cae40e3e80f2d9f9a796d958a8738e3e
SSDEEP

1572864:uHTWBlECjxMgp23PnpSRxxhaz/+df11/GgzBGQIj5Oi:AME+9unkRxDw/Mf/pBGRj5

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Executes dropped EXE 2 IoCs

pid	Process
3140	QQSetupEx.exe
2252	win32-67-quickq.exe

Loads dropped DLL 4 IoCs

pid	Process
3140	QQSetupEx.exe
2252	win32-67-quickq.exe
2252	win32-67-quickq.exe
2252	win32-67-quickq.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-1-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral2/memory/764-6-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral2/memory/764-5-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral2/memory/764-4-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral2/memory/764-3-0x0000000180000000-0x00000001801C0000-memory.dmp	upx
behavioral2/memory/764-21-0x0000000180000000-0x00000001801C0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QQSetupEx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-67-quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3608	ipconfig.exe
1940	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
388	mmc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeShutdownPrivilege	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
Token: 33	1612	mmc.exe
Token: SeIncBasePriorityPrivilege	1612	mmc.exe
Token: 33	1612	mmc.exe
Token: SeIncBasePriorityPrivilege	1612	mmc.exe
Token: SeShutdownPrivilege	3140	QQSetupEx.exe
Token: 33	388	mmc.exe
Token: SeIncBasePriorityPrivilege	388	mmc.exe
Token: 33	388	mmc.exe
Token: SeIncBasePriorityPrivilege	388	mmc.exe
Token: SeDebugPrivilege	3140	QQSetupEx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
1612	mmc.exe
1612	mmc.exe
3140	QQSetupEx.exe
388	mmc.exe
388	mmc.exe
2252	win32-67-quickq.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 4536	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	83
PID 764 wrote to memory of 4536	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	83
PID 4536 wrote to memory of 3608	4536	cmd.exe	85
PID 4536 wrote to memory of 3608	4536	cmd.exe	85
PID 764 wrote to memory of 2124	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	86
PID 764 wrote to memory of 2124	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	86
PID 764 wrote to memory of 4956	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	96
PID 764 wrote to memory of 4956	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	96
PID 4956 wrote to memory of 3132	4956	cmd.exe	99
PID 4956 wrote to memory of 3132	4956	cmd.exe	99
PID 4956 wrote to memory of 8	4956	cmd.exe	100
PID 4956 wrote to memory of 8	4956	cmd.exe	100
PID 4956 wrote to memory of 1964	4956	cmd.exe	101
PID 4956 wrote to memory of 1964	4956	cmd.exe	101
PID 764 wrote to memory of 464	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	103
PID 764 wrote to memory of 464	764	7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe	103
PID 1612 wrote to memory of 3140	1612	mmc.exe	110
PID 1612 wrote to memory of 3140	1612	mmc.exe	110
PID 1612 wrote to memory of 3140	1612	mmc.exe	110
PID 388 wrote to memory of 2252	388	mmc.exe	114
PID 388 wrote to memory of 2252	388	mmc.exe	114
PID 388 wrote to memory of 2252	388	mmc.exe	114
PID 3140 wrote to memory of 5028	3140	QQSetupEx.exe	115
PID 3140 wrote to memory of 5028	3140	QQSetupEx.exe	115
PID 3140 wrote to memory of 5028	3140	QQSetupEx.exe	115
PID 5028 wrote to memory of 1940	5028	cmd.exe	117
PID 5028 wrote to memory of 1940	5028	cmd.exe	117
PID 5028 wrote to memory of 1940	5028	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe
"C:\Users\Admin\AppData\Local\Temp\7a69374666a9b781a1ab338f5cffbdf1aea238db6fd10631990e3a74310570d0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:3608
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\ProgramData\CCMz4.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\S44k3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:3132
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:8
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\aUb58\R1oON@m7\v+C:\ProgramData\aUb58\R1oON@m7\b C:\ProgramData\aUb58\R1oON@m7\arkHttpClient.dll
  2⤵
  PID:464

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\ProgramData\aUb58\R1oON@m7\QQSetupEx.exe
  "C:\ProgramData\aUb58\R1oON@m7\QQSetupEx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:1940

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388
- C:\ProgramData\win32-67-quickq.exe
  "C:\ProgramData\win32-67-quickq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aUb58\R1oON@m7\PX.txt

Filesize
179KB

MD5
23194553935d876ece4c81dd5cb11e87

SHA1
a535112437a498578392e7ee7c01fa6d3f71d30b

SHA256
63d42c8233efd52599b676106192592b9d29f08e20a824805bf63536c6af9b0b

SHA512
433f93d51c5a8acc363f1ea1dfaa92ce1e1a858b18a2d5cb6c06a936fb1021b5a260bac702b6381c9ec4d562142f3c35e0ca638e8c32113ac9b4f149be1151e4

Download Submit
C:\ProgramData\aUb58\R1oON@m7\QQSetupEx.exe

Filesize
446KB

MD5
9efa9e12deac9f6fa48bc031e4300dad

SHA1
7870326380768cf2cf9114c5d5b8b61fd5fba616

SHA256
1849ecf1956e8b01949ba5eac8ef1255cfcdb62be43dc0d574d2ea3dc1c8eee8

SHA512
3de2c0d96cf4fd7312b872c9c9f135a022daa11a9e5c7c924137c9bd4c0e787ff9492b6164288635bfa9d39dc49e04a5b1bb67501fc56d2422d9da95218eaf40

Download Submit
C:\ProgramData\aUb58\R1oON@m7\arkHTTPClient.dll

Filesize
1.7MB

MD5
301171d2cb6495caffe263d242ee3669

SHA1
f051c8af5294528d11dc9e1f7e70b48cf82d8acd

SHA256
990b71b2b95f0654b5fa66803d76fbaf7c8ec9e0e92d5b9b6bb93bc5cf385a90

SHA512
3a99ddfd5ae5a3087074a15c77a4d6041d4fae654259a64f7a201b755566d37120fdd210ccfe2f80bbe3c78222abd235366c18aa027418eae2332b3682096581

Download Submit
C:\ProgramData\aUb58\R1oON@m7\b

Filesize
883KB

MD5
a4b0f0235f902ae7ef9b2a31a367e001

SHA1
b5be8f51f99cabe8dd25b623a54b5d3d8054490c

SHA256
ae7fb543e8f8e375298387588c2976d1cf5b036697bf2ff6405d5ea27a1d1732

SHA512
d32f5b3aa7d7c68e38461fe160984499b067dd88a58c7ba67069a0b5d9ffce84bf50f74028fba3ab1271bd5a74e949280f0ad70a7546d8901b077aba8e88e4ee

Download Submit
C:\ProgramData\aUb58\R1oON@m7\v

Filesize
883KB

MD5
d8cfdfcff639195051448175c497ccc6

SHA1
b7ce149e8f2968fb85398e9fa1713246abe0ba2f

SHA256
760859d557901c42cc7c8620d1b9ccd26fd61502d44b8d2ffc3b75a8b0174c2e

SHA512
e563cb7435853f52475683e17f50c25fc54e539b6cd3eaaccc8e6cf4e0de0959588e46225c949d014e9558fef1d426004b5954f5e3b5a8a171d957d8a893eb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswC92D.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswC92D.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswC92D.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswC92D.tmp\ioSpecial.ini

Filesize
679B

MD5
c68df228f86be4fe7162f617c4cd281b

SHA1
c9dae09f3938859bfc08dadae4d6f4bfec614fc2

SHA256
f4630a0168962a82cbe17558b730b3af815fb69a4effb97aee8da32cb47eac84

SHA512
ef7e3eb21a7b347fa0376b298c5fccb3d5ca0ab896b313db92a836784dc08a9f4529f28341c07eadb8443b940f45c1cd058db074d8bcfa38753401f7236d17be

Download Submit
C:\Users\Admin\AppData\Roaming\S44k3.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
memory/764-6-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-1-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-3-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-4-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-5-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-21-0x0000000180000000-0x00000001801C0000-memory.dmp

Filesize
1.8MB

Download
memory/3140-27-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-29-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-28-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-31-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-124-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-126-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download
memory/3140-125-0x0000000002C40000-0x0000000002CA9000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads