f19fdeb545b8d9aa73b3506ffe1867f3da17b240d0e346b38f3ff9f75c7bc66b

General

Target

fZQDwrtq.exe
Size

4.6MB
MD5

bf8e7e333f16566a67a33205d4d57d54
SHA1

cb4682b463004dac5af531a9396671642de53032
SHA256

f19fdeb545b8d9aa73b3506ffe1867f3da17b240d0e346b38f3ff9f75c7bc66b
SHA512

0b87e756425998231246a1c3da1d4ed6d70898103910357c15ec204428d4c4aa86f7adb8d5a6d4ce1a89a192595735caf754e6fc70e53c1319d10487a2761c1f

Score

6^/10

discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	ipconfig.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	ipconfig.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1068 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1076 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

440 systeminfo.exe

pid	process
1068	tasklist.exe

pid	process
1076	ipconfig.exe

pid	process
440	systeminfo.exe

GoLang User-Agent 15 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	25	Go-http-client/1.1
HTTP User-Agent header	27	Go-http-client/1.1
HTTP User-Agent header	33	Go-http-client/1.1
HTTP User-Agent header	14	Go-http-client/1.1
HTTP User-Agent header	18	Go-http-client/1.1
HTTP User-Agent header	20	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	12	Go-http-client/1.1
HTTP User-Agent header	16	Go-http-client/1.1
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	8	Go-http-client/1.1
HTTP User-Agent header	29	Go-http-client/1.1
HTTP User-Agent header	31	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 361 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1184	wmic.exe
Token: SeSecurityPrivilege	1184	wmic.exe
Token: SeTakeOwnershipPrivilege	1184	wmic.exe
Token: SeLoadDriverPrivilege	1184	wmic.exe
Token: SeSystemProfilePrivilege	1184	wmic.exe
Token: SeSystemtimePrivilege	1184	wmic.exe
Token: SeProfSingleProcessPrivilege	1184	wmic.exe
Token: SeIncBasePriorityPrivilege	1184	wmic.exe
Token: SeCreatePagefilePrivilege	1184	wmic.exe
Token: SeBackupPrivilege	1184	wmic.exe
Token: SeRestorePrivilege	1184	wmic.exe
Token: SeShutdownPrivilege	1184	wmic.exe
Token: SeDebugPrivilege	1184	wmic.exe
Token: SeSystemEnvironmentPrivilege	1184	wmic.exe
Token: SeRemoteShutdownPrivilege	1184	wmic.exe
Token: SeUndockPrivilege	1184	wmic.exe
Token: SeManageVolumePrivilege	1184	wmic.exe
Token: 33	1184	wmic.exe
Token: 34	1184	wmic.exe
Token: 35	1184	wmic.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe
Token: SeSystemProfilePrivilege	1964	wmic.exe
Token: SeSystemtimePrivilege	1964	wmic.exe
Token: SeProfSingleProcessPrivilege	1964	wmic.exe
Token: SeIncBasePriorityPrivilege	1964	wmic.exe
Token: SeCreatePagefilePrivilege	1964	wmic.exe
Token: SeBackupPrivilege	1964	wmic.exe
Token: SeRestorePrivilege	1964	wmic.exe
Token: SeShutdownPrivilege	1964	wmic.exe
Token: SeDebugPrivilege	1964	wmic.exe
Token: SeSystemEnvironmentPrivilege	1964	wmic.exe
Token: SeRemoteShutdownPrivilege	1964	wmic.exe
Token: SeUndockPrivilege	1964	wmic.exe
Token: SeManageVolumePrivilege	1964	wmic.exe
Token: 33	1964	wmic.exe
Token: 34	1964	wmic.exe
Token: 35	1964	wmic.exe
Token: SeIncreaseQuotaPrivilege	1184	wmic.exe
Token: SeSecurityPrivilege	1184	wmic.exe
Token: SeTakeOwnershipPrivilege	1184	wmic.exe
Token: SeLoadDriverPrivilege	1184	wmic.exe
Token: SeSystemProfilePrivilege	1184	wmic.exe
Token: SeSystemtimePrivilege	1184	wmic.exe
Token: SeProfSingleProcessPrivilege	1184	wmic.exe
Token: SeIncBasePriorityPrivilege	1184	wmic.exe
Token: SeCreatePagefilePrivilege	1184	wmic.exe
Token: SeBackupPrivilege	1184	wmic.exe
Token: SeRestorePrivilege	1184	wmic.exe
Token: SeShutdownPrivilege	1184	wmic.exe
Token: SeDebugPrivilege	1184	wmic.exe
Token: SeSystemEnvironmentPrivilege	1184	wmic.exe
Token: SeRemoteShutdownPrivilege	1184	wmic.exe
Token: SeUndockPrivilege	1184	wmic.exe
Token: SeManageVolumePrivilege	1184	wmic.exe
Token: 33	1184	wmic.exe
Token: 34	1184	wmic.exe
Token: 35	1184	wmic.exe
Token: SeIncreaseQuotaPrivilege	1964	wmic.exe
Token: SeSecurityPrivilege	1964	wmic.exe
Token: SeTakeOwnershipPrivilege	1964	wmic.exe
Token: SeLoadDriverPrivilege	1964	wmic.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

fZQDwrtq.exe

description	pid	process	target process
PID 288 wrote to memory of 1184	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1184	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1184	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1184	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1964	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1964	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1964	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1964	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1272	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1272	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1272	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1272	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 440	288	fZQDwrtq.exe	systeminfo.exe
PID 288 wrote to memory of 440	288	fZQDwrtq.exe	systeminfo.exe
PID 288 wrote to memory of 440	288	fZQDwrtq.exe	systeminfo.exe
PID 288 wrote to memory of 440	288	fZQDwrtq.exe	systeminfo.exe
PID 288 wrote to memory of 1192	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1192	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1192	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1192	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1460	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1460	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1460	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1460	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1036	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1036	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1036	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1036	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1076	288	fZQDwrtq.exe	ipconfig.exe
PID 288 wrote to memory of 1076	288	fZQDwrtq.exe	ipconfig.exe
PID 288 wrote to memory of 1076	288	fZQDwrtq.exe	ipconfig.exe
PID 288 wrote to memory of 1076	288	fZQDwrtq.exe	ipconfig.exe
PID 288 wrote to memory of 1760	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1760	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1760	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1760	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1068	288	fZQDwrtq.exe	tasklist.exe
PID 288 wrote to memory of 1068	288	fZQDwrtq.exe	tasklist.exe
PID 288 wrote to memory of 1068	288	fZQDwrtq.exe	tasklist.exe
PID 288 wrote to memory of 1068	288	fZQDwrtq.exe	tasklist.exe
PID 288 wrote to memory of 476	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 476	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 476	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 476	288	fZQDwrtq.exe	wmic.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	sc.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	sc.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	sc.exe
PID 288 wrote to memory of 1704	288	fZQDwrtq.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe
"C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu GET * /translate:nocomma /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process GET * /translate:nocomma /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_TimeZone GET * /translate:nocomma /format:csv
2⤵
PID:1272

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_NetworkAdapterConfiguration GET * /translate:nocomma /format:csv
2⤵
PID:1704

C:\Windows\SysWOW64\systeminfo.exe
systeminfo /fo csv
2⤵
- Gathers system information
PID:440

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic service GET * /translate:nocomma /format:csv
2⤵
PID:1192

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic logicaldisk GET * /translate:nocomma /format:csv
2⤵
PID:1460

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_PnPEntity GET * /translate:nocomma /format:csv
2⤵
PID:1036

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Modifies service
- Gathers network information
PID:1076

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios GET * /translate:nocomma /format:csv
2⤵
PID:1760

C:\Windows\SysWOW64\tasklist.exe
tasklist /fo csv
2⤵
- Enumerates processes with tasklist
PID:1068

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os GET * /translate:nocomma /format:csv
2⤵
PID:476

C:\Windows\SysWOW64\sc.exe
sc query type= service state= all
2⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-0-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/440-10-0x0000000000000000-mapping.dmp

Download
memory/476-17-0x0000000000000000-mapping.dmp

Download
memory/1036-13-0x0000000000000000-mapping.dmp

Download
memory/1068-16-0x0000000000000000-mapping.dmp

Download
memory/1076-14-0x0000000000000000-mapping.dmp

Download
memory/1184-6-0x0000000000000000-mapping.dmp

Download
memory/1192-11-0x0000000000000000-mapping.dmp

Download
memory/1272-8-0x0000000000000000-mapping.dmp

Download
memory/1460-12-0x0000000000000000-mapping.dmp

Download
memory/1704-9-0x0000000000000000-mapping.dmp

Download
memory/1704-18-0x0000000000000000-mapping.dmp

Download
memory/1760-15-0x0000000000000000-mapping.dmp

Download
memory/1964-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads