bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
Size

2.9MB
MD5

fe86e62f1f8cc2b9160c316c7e1ccffd
SHA1

540ed568fad46b2e4bccd6460e98e7e07a78068f
SHA256

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af
SHA512

1cbe0eba13af47bfa1781d766dfaab6a0a185afa8f48694b5aab25c20a557101b69b63977a04c4cef0f9b5fde66deaea888e459f755fdee99c061e63f7eeb48a
SSDEEP

49152:Mh2n9VNAIW4k4W6fskkkF+SHU932E0DIR:Msn9Vhek2rv0DIR

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

Serveri.dll

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Serveri.dll

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Serveri.dll

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Serveri.dll

Drops startup file 1 IoCs

Processes:

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe.lnk	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

Executes dropped EXE 6 IoCs

Processes:

Serveri.dllServeri.dllServeri.dllPhxph.exePhxph.exePhxph.exe

pid	Process
2692	Serveri.dll
10572	Serveri.dll
10604	Serveri.dll
11492	Phxph.exe
7356	Phxph.exe
11136	Phxph.exe

Loads dropped DLL 3 IoCs

Processes:

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

pid	Process
1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

Drops file in System32 directory 5 IoCs

Processes:

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exeServeri.dll

description	ioc	Process
File created	C:\Windows\SysWOW64\Serveri.dll	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
File opened for modification	C:\Windows\SysWOW64\Serveri.dll	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
File created	C:\Windows\SysWOW64\Phxph.exe	Serveri.dll
File opened for modification	C:\Windows\SysWOW64\Phxph.exe	Serveri.dll
File opened for modification	C:\Windows\SysWOW64\Serveri.dll	Serveri.dll

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Serveri.dllServeri.dllServeri.dllPhxph.exe

pid	Process
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
10604	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10572	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
2692	Serveri.dll
11492	Phxph.exe
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll
10604	Serveri.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Phxph.exePhxph.exeServeri.dllbac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exePhxph.exeServeri.dllcmd.exePING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Serveri.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phxph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Serveri.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
2180	cmd.exe
4508	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4508	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Serveri.dll

pid	Process
10572	Serveri.dll

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Serveri.dllServeri.dll

description	pid	Process
Token: SeIncBasePriorityPrivilege	2692	Serveri.dll
Token: SeLoadDriverPrivilege	10572	Serveri.dll
Token: 33	10572	Serveri.dll
Token: SeIncBasePriorityPrivilege	10572	Serveri.dll

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

pid	Process
1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exeServeri.dllcmd.exe

description	pid	Process	procid_target
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 2692	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	28
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10572	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	29
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 1044 wrote to memory of 10604	1044	bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe	30
PID 2692 wrote to memory of 2180	2692	Serveri.dll	35
PID 2692 wrote to memory of 2180	2692	Serveri.dll	35
PID 2692 wrote to memory of 2180	2692	Serveri.dll	35
PID 2692 wrote to memory of 2180	2692	Serveri.dll	35
PID 2180 wrote to memory of 4508	2180	cmd.exe	37
PID 2180 wrote to memory of 4508	2180	cmd.exe	37
PID 2180 wrote to memory of 4508	2180	cmd.exe	37
PID 2180 wrote to memory of 4508	2180	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe
"C:\Users\Admin\AppData\Local\Temp\bac9522027f995192c65ef3695741d690c3d1e43c15db42f42e52f3018db64af.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\Serveri.dll
  C:\Windows\system32\\Serveri.dll
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\Serveri.dll > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4508
- C:\Windows\SysWOW64\Serveri.dll
  C:\Windows\system32\\Serveri.dll
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:10572
- C:\Windows\SysWOW64\Serveri.dll
  C:\Windows\system32\\Serveri.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:10604

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:11492

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:7356

C:\Windows\SysWOW64\Phxph.exe
C:\Windows\SysWOW64\Phxph.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Phxph.exe

Filesize
22.1MB

MD5
44d1ce29474bad8ada3d778af1dac0f3

SHA1
319f966cc44529a564f9d5d19e0fb99e0af2ea19

SHA256
d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf

SHA512
511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025

Download Submit
\Windows\SysWOW64\Serveri.dll

Filesize
1.1MB

MD5
1144ea1e19cb2a42f7ad2fa04db8e476

SHA1
2ef6e0f9c5e57305bff6d30080cf68c1d3e101d9

SHA256
20569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50

SHA512
3df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556

Download Submit
memory/1044-6-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/1044-7886-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/1044-7892-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/1044-25285-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/1044-27834-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/1044-28582-0x0000000002FB0000-0x00000000030D3000-memory.dmp

Filesize
1.1MB

Download
memory/2692-544-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-534-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-552-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-572-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-570-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-568-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-566-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-564-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-562-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-560-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-558-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-556-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-554-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-550-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-548-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-546-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-9-0x0000000074D70000-0x0000000074DB7000-memory.dmp

Filesize
284KB

Download
memory/2692-542-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-540-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-538-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-536-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-514-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-532-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-530-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-528-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-526-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-524-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-522-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-520-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-518-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-574-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-516-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-512-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-511-0x0000000002140000-0x0000000002251000-memory.dmp

Filesize
1.1MB

Download
memory/2692-26485-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2692-8-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7356-33992-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/7356-42680-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/10572-27835-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/10604-28583-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/11136-51383-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/11492-33980-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download