Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-10-2020 20:19
General
-
Target
fZQDwrtq.exe
-
Size
4.6MB
-
MD5
bf8e7e333f16566a67a33205d4d57d54
-
SHA1
cb4682b463004dac5af531a9396671642de53032
-
SHA256
f19fdeb545b8d9aa73b3506ffe1867f3da17b240d0e346b38f3ff9f75c7bc66b
-
SHA512
0b87e756425998231246a1c3da1d4ed6d70898103910357c15ec204428d4c4aa86f7adb8d5a6d4ce1a89a192595735caf754e6fc70e53c1319d10487a2761c1f
Score
6/10
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies service 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
GoLang User-Agent 15 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious use of AdjustPrivilegeToken 361 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe"C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic cpu GET * /translate:nocomma /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic process GET * /translate:nocomma /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_TimeZone GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_NetworkAdapterConfiguration GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo /fo csv2⤵
- Gathers system information
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic service GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic logicaldisk GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic path Win32_PnPEntity GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all2⤵
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic bios GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /fo csv2⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os GET * /translate:nocomma /format:csv2⤵
-
C:\Windows\SysWOW64\sc.exesc query type= service state= all2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-0-0x0000000000400000-0x00000000008AE000-memory.dmpFilesize
4.7MB
-
memory/440-10-0x0000000000000000-mapping.dmp
-
memory/476-17-0x0000000000000000-mapping.dmp
-
memory/1036-13-0x0000000000000000-mapping.dmp
-
memory/1068-16-0x0000000000000000-mapping.dmp
-
memory/1076-14-0x0000000000000000-mapping.dmp
-
memory/1184-6-0x0000000000000000-mapping.dmp
-
memory/1192-11-0x0000000000000000-mapping.dmp
-
memory/1272-8-0x0000000000000000-mapping.dmp
-
memory/1460-12-0x0000000000000000-mapping.dmp
-
memory/1704-9-0x0000000000000000-mapping.dmp
-
memory/1704-18-0x0000000000000000-mapping.dmp
-
memory/1760-15-0x0000000000000000-mapping.dmp
-
memory/1964-7-0x0000000000000000-mapping.dmp