Overview
overview
5Static
static
3QtCore4.dll
windows11-21h2-x64
3QtGui4.dll
windows11-21h2-x64
3QtNetwork4.dll
windows11-21h2-x64
3QtWebKit4.dll
windows11-21h2-x64
3msvcp100.dll
windows11-21h2-x64
3msvcr100.dll
windows11-21h2-x64
3qLauncher.exe
windows11-21h2-x64
5sewtei
windows11-21h2-x64
1ygyg
windows11-21h2-x64
1Analysis
-
max time kernel
139s -
max time network
135s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-12-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
QtCore4.dll
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
QtGui4.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
QtNetwork4.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
QtWebKit4.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
msvcp100.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
msvcr100.dll
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
qLauncher.exe
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
sewtei
Resource
win11-20241023-en
Behavioral task
behavioral9
Sample
ygyg
Resource
win11-20241007-en
General
-
Target
qLauncher.exe
-
Size
80KB
-
MD5
2a8613b7d99903516b8fe02fd820bf52
-
SHA1
78a96addcb556ab1d490fac80f929305263d06b9
-
SHA256
f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407
-
SHA512
af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436
-
SSDEEP
1536:9A8oAY5SXfidLez+Q+EGfdUHLLXJ+CqoVpPBucQwk7qnKXKo5OMY8xk03ben8TK:M7Ohz+Q+EGlUHLLXJ+CqoTPBucQwktXS
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
qLauncher.exedescription pid Process procid_target PID 1012 set thread context of 3944 1012 qLauncher.exe 77 -
Drops file in Windows directory 1 IoCs
Processes:
more.comdescription ioc Process File created C:\Windows\Tasks\NVIDIA Container QS 64.job more.com -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
qLauncher.exemore.comexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
qLauncher.exemore.compid Process 1012 qLauncher.exe 1012 qLauncher.exe 1012 qLauncher.exe 1012 qLauncher.exe 3944 more.com 3944 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
qLauncher.exemore.compid Process 1012 qLauncher.exe 3944 more.com -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
qLauncher.exemore.comdescription pid Process procid_target PID 1012 wrote to memory of 3944 1012 qLauncher.exe 77 PID 1012 wrote to memory of 3944 1012 qLauncher.exe 77 PID 1012 wrote to memory of 3944 1012 qLauncher.exe 77 PID 1012 wrote to memory of 3944 1012 qLauncher.exe 77 PID 3944 wrote to memory of 1580 3944 more.com 81 PID 3944 wrote to memory of 1580 3944 more.com 81 PID 3944 wrote to memory of 1580 3944 more.com 81 PID 3944 wrote to memory of 1580 3944 more.com 81 PID 3944 wrote to memory of 1580 3944 more.com 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\qLauncher.exe"C:\Users\Admin\AppData\Local\Temp\qLauncher.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5b84c26cd97c4944486b8d1cabfa47b3f
SHA1185890cfac9739d242499f504a1fb20dee06314c
SHA2568428984e44f7e181cb53183dc55713e6e6911aa8de171602fc88ae58e8e8185f
SHA51298a36651768df8aea450e048180052183e3d849d6e333d7605d62da107108e06a08f480992467d95412272353e8358266360907e559b8a84876fd7ea7431546d