6d69b17bda1ff9f48b17c493291a93d5f98d0ae2395d326cdbae41c96d3ccd87

Resubmissions

29-06-2024 03:36

240629-d54zxstbmq 10

28-06-2024 13:39

240628-qygbhasdle 10

28-06-2024 13:29

240628-qq9yvavdjm 3

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YuQu Loader.rar (USE ONLY IF NOT WORKING).zip
Size

117.4MB
MD5

3ea9457e45cbb04a30aa8ae12ab71891
SHA1

26259b9ec0d8d32a003ec64060672aaf27beae85
SHA256

6d69b17bda1ff9f48b17c493291a93d5f98d0ae2395d326cdbae41c96d3ccd87
SHA512

f60abc13879eb2d488b4885c36d77e96f398f55c5f181006e5c9a4e8bb1686f5c584c99fcf57482fe521d81fb9b46e5ec5ec6f1e1acaa24500585d54fa674aa1
SSDEEP

3145728:2hJPhl2pXF40X0xnav4as6dpfp9M3cOPyc:2DPLcmMLs6np9MJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

YuQu Loader.exeYuQu Loader.exe

pid process

3020 YuQu Loader.exe
1932 YuQu Loader.exe
Loads dropped DLL 6 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1116 WerFault.exe
1116 WerFault.exe
1116 WerFault.exe
1008 WerFault.exe
1008 WerFault.exe
1008 WerFault.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1116 3020 WerFault.exe YuQu Loader.exe
1008 1932 WerFault.exe YuQu Loader.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description pid process

Token: SeRestorePrivilege 2264 7zG.exe
Token: 35 2264 7zG.exe
Token: SeSecurityPrivilege 2264 7zG.exe
Token: SeSecurityPrivilege 2264 7zG.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

2264 7zG.exe

pid	process
3020	YuQu Loader.exe
1932	YuQu Loader.exe

pid	process
1116	WerFault.exe
1116	WerFault.exe
1116	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe
1008	WerFault.exe

pid	pid_target	process	target process
1116	3020	WerFault.exe	YuQu Loader.exe
1008	1932	WerFault.exe	YuQu Loader.exe

description	pid	process
Token: SeRestorePrivilege	2264	7zG.exe
Token: 35	2264	7zG.exe
Token: SeSecurityPrivilege	2264	7zG.exe
Token: SeSecurityPrivilege	2264	7zG.exe

pid	process
2264	7zG.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

YuQu Loader.exeYuQu Loader.exe

description	pid	process	target process
PID 3020 wrote to memory of 1116	3020	YuQu Loader.exe	WerFault.exe
PID 3020 wrote to memory of 1116	3020	YuQu Loader.exe	WerFault.exe
PID 3020 wrote to memory of 1116	3020	YuQu Loader.exe	WerFault.exe
PID 3020 wrote to memory of 1116	3020	YuQu Loader.exe	WerFault.exe
PID 1932 wrote to memory of 1008	1932	YuQu Loader.exe	WerFault.exe
PID 1932 wrote to memory of 1008	1932	YuQu Loader.exe	WerFault.exe
PID 1932 wrote to memory of 1008	1932	YuQu Loader.exe	WerFault.exe
PID 1932 wrote to memory of 1008	1932	YuQu Loader.exe	WerFault.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING).zip"
1⤵
PID:616

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\" -spe -an -ai#7zMap8701:162:7zEvent9618
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2264

C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\YuQu Loader.exe
"C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\YuQu Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:1116

C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\YuQu Loader.exe
"C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\YuQu Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:1008

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\Debug\x364.dll
Filesize
17.0MB

MD5
8b6e3f0cd5bcd2cf2ce2e16fe7070dc3

SHA1
ab47e5bde61d65f14a2ef72fedab2320ef282d5a

SHA256
a4ce9a380d6faedeef5b29874c9f47d122a27e038503ef4ca1e2d3a8b528c9d5

SHA512
61a518fffcf76802ef016d0f77f738dc1754832fed8202f7106262a3c4ea6d5ac213297839a6e78e365608ab9e7f4eb04f30c9d025ecfa45f8fcb7c47c2a87e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuQu Loader.rar (USE ONLY IF NOT WORKING)\YuQu Loader\YuQu Loader.exe
Filesize
513KB

MD5
b4d55322e5018943ce7bd23eef86aaaa

SHA1
fe67bceb035897925d46a49cb21dad2f94ca785b

SHA256
67c7720694e4f280f0b7f398f6355b5a452673dce008d76d99279078a750b5df

SHA512
7956308b35f91932ab03c38e9e6ba0ad518781c29194b3e51925f1006446abe209570988bab4ba2b989093ab331353535ac21c622ca6ac5b9158d85c934733ef

Download Submit
memory/3020-149-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads