f19fdeb545b8d9aa73b3506ffe1867f3da17b240d0e346b38f3ff9f75c7bc66b

General

Target

fZQDwrtq.exe
Size

4.6MB
MD5

bf8e7e333f16566a67a33205d4d57d54
SHA1

cb4682b463004dac5af531a9396671642de53032
SHA256

f19fdeb545b8d9aa73b3506ffe1867f3da17b240d0e346b38f3ff9f75c7bc66b
SHA512

0b87e756425998231246a1c3da1d4ed6d70898103910357c15ec204428d4c4aa86f7adb8d5a6d4ce1a89a192595735caf754e6fc70e53c1319d10487a2761c1f

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

3900 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2856 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4300 systeminfo.exe

pid	process
3900	tasklist.exe

pid	process
2856	ipconfig.exe

pid	process
4300	systeminfo.exe

GoLang User-Agent 15 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	13	Go-http-client/1.1
HTTP User-Agent header	15	Go-http-client/1.1
HTTP User-Agent header	19	Go-http-client/1.1
HTTP User-Agent header	32	Go-http-client/1.1
HTTP User-Agent header	38	Go-http-client/1.1
HTTP User-Agent header	42	Go-http-client/1.1
HTTP User-Agent header	26	Go-http-client/1.1
HTTP User-Agent header	30	Go-http-client/1.1
HTTP User-Agent header	17	Go-http-client/1.1
HTTP User-Agent header	28	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1
HTTP User-Agent header	44	Go-http-client/1.1
HTTP User-Agent header	24	Go-http-client/1.1
HTTP User-Agent header	40	Go-http-client/1.1
HTTP User-Agent header	46	Go-http-client/1.1

Suspicious use of AdjustPrivilegeToken 379 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4116	wmic.exe
Token: SeSecurityPrivilege	4116	wmic.exe
Token: SeTakeOwnershipPrivilege	4116	wmic.exe
Token: SeLoadDriverPrivilege	4116	wmic.exe
Token: SeSystemProfilePrivilege	4116	wmic.exe
Token: SeSystemtimePrivilege	4116	wmic.exe
Token: SeProfSingleProcessPrivilege	4116	wmic.exe
Token: SeIncBasePriorityPrivilege	4116	wmic.exe
Token: SeCreatePagefilePrivilege	4116	wmic.exe
Token: SeBackupPrivilege	4116	wmic.exe
Token: SeRestorePrivilege	4116	wmic.exe
Token: SeShutdownPrivilege	4116	wmic.exe
Token: SeDebugPrivilege	4116	wmic.exe
Token: SeSystemEnvironmentPrivilege	4116	wmic.exe
Token: SeRemoteShutdownPrivilege	4116	wmic.exe
Token: SeUndockPrivilege	4116	wmic.exe
Token: SeManageVolumePrivilege	4116	wmic.exe
Token: 33	4116	wmic.exe
Token: 34	4116	wmic.exe
Token: 35	4116	wmic.exe
Token: 36	4116	wmic.exe
Token: SeIncreaseQuotaPrivilege	5104	wmic.exe
Token: SeSecurityPrivilege	5104	wmic.exe
Token: SeTakeOwnershipPrivilege	5104	wmic.exe
Token: SeLoadDriverPrivilege	5104	wmic.exe
Token: SeSystemProfilePrivilege	5104	wmic.exe
Token: SeSystemtimePrivilege	5104	wmic.exe
Token: SeProfSingleProcessPrivilege	5104	wmic.exe
Token: SeIncBasePriorityPrivilege	5104	wmic.exe
Token: SeCreatePagefilePrivilege	5104	wmic.exe
Token: SeBackupPrivilege	5104	wmic.exe
Token: SeRestorePrivilege	5104	wmic.exe
Token: SeShutdownPrivilege	5104	wmic.exe
Token: SeDebugPrivilege	5104	wmic.exe
Token: SeSystemEnvironmentPrivilege	5104	wmic.exe
Token: SeRemoteShutdownPrivilege	5104	wmic.exe
Token: SeUndockPrivilege	5104	wmic.exe
Token: SeManageVolumePrivilege	5104	wmic.exe
Token: 33	5104	wmic.exe
Token: 34	5104	wmic.exe
Token: 35	5104	wmic.exe
Token: 36	5104	wmic.exe
Token: SeIncreaseQuotaPrivilege	4200	wmic.exe
Token: SeSecurityPrivilege	4200	wmic.exe
Token: SeTakeOwnershipPrivilege	4200	wmic.exe
Token: SeLoadDriverPrivilege	4200	wmic.exe
Token: SeSystemProfilePrivilege	4200	wmic.exe
Token: SeSystemtimePrivilege	4200	wmic.exe
Token: SeProfSingleProcessPrivilege	4200	wmic.exe
Token: SeIncBasePriorityPrivilege	4200	wmic.exe
Token: SeCreatePagefilePrivilege	4200	wmic.exe
Token: SeBackupPrivilege	4200	wmic.exe
Token: SeRestorePrivilege	4200	wmic.exe
Token: SeShutdownPrivilege	4200	wmic.exe
Token: SeDebugPrivilege	4200	wmic.exe
Token: SeSystemEnvironmentPrivilege	4200	wmic.exe
Token: SeRemoteShutdownPrivilege	4200	wmic.exe
Token: SeUndockPrivilege	4200	wmic.exe
Token: SeManageVolumePrivilege	4200	wmic.exe
Token: 33	4200	wmic.exe
Token: 34	4200	wmic.exe
Token: 35	4200	wmic.exe
Token: 36	4200	wmic.exe
Token: SeIncreaseQuotaPrivilege	4116	wmic.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

fZQDwrtq.exe

description	pid	process	target process
PID 4644 wrote to memory of 5104	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 5104	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 5104	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4116	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4116	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4116	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4200	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4200	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4200	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 3020	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 3020	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 3020	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4300	4644	fZQDwrtq.exe	systeminfo.exe
PID 4644 wrote to memory of 4300	4644	fZQDwrtq.exe	systeminfo.exe
PID 4644 wrote to memory of 4300	4644	fZQDwrtq.exe	systeminfo.exe
PID 4644 wrote to memory of 4368	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4368	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 4368	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 636	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 636	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 636	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1236	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1236	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1236	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1584	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1584	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1584	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1964	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1964	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 1964	4644	fZQDwrtq.exe	wmic.exe
PID 4644 wrote to memory of 2856	4644	fZQDwrtq.exe	ipconfig.exe
PID 4644 wrote to memory of 2856	4644	fZQDwrtq.exe	ipconfig.exe
PID 4644 wrote to memory of 2856	4644	fZQDwrtq.exe	ipconfig.exe
PID 4644 wrote to memory of 3900	4644	fZQDwrtq.exe	tasklist.exe
PID 4644 wrote to memory of 3900	4644	fZQDwrtq.exe	tasklist.exe
PID 4644 wrote to memory of 3900	4644	fZQDwrtq.exe	tasklist.exe
PID 4644 wrote to memory of 4588	4644	fZQDwrtq.exe	sc.exe
PID 4644 wrote to memory of 4588	4644	fZQDwrtq.exe	sc.exe
PID 4644 wrote to memory of 4588	4644	fZQDwrtq.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe
"C:\Users\Admin\AppData\Local\Temp\fZQDwrtq.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic process GET * /translate:nocomma /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic cpu GET * /translate:nocomma /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_TimeZone GET * /translate:nocomma /format:csv
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_NetworkAdapterConfiguration GET * /translate:nocomma /format:csv
2⤵
PID:3020

C:\Windows\SysWOW64\systeminfo.exe
systeminfo /fo csv
2⤵
- Gathers system information
PID:4300

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic service GET * /translate:nocomma /format:csv
2⤵
PID:4368

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic logicaldisk GET * /translate:nocomma /format:csv
2⤵
PID:636

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic path Win32_PnPEntity GET * /translate:nocomma /format:csv
2⤵
PID:1236

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic bios GET * /translate:nocomma /format:csv
2⤵
PID:1584

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os GET * /translate:nocomma /format:csv
2⤵
PID:1964

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
2⤵
- Gathers network information
PID:2856

C:\Windows\SysWOW64\tasklist.exe
tasklist /fo csv
2⤵
- Enumerates processes with tasklist
PID:3900

C:\Windows\SysWOW64\sc.exe
sc query type= service state= all
2⤵
PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-9-0x0000000000000000-mapping.dmp

Download
memory/1236-10-0x0000000000000000-mapping.dmp

Download
memory/1584-11-0x0000000000000000-mapping.dmp

Download
memory/1964-12-0x0000000000000000-mapping.dmp

Download
memory/2856-13-0x0000000000000000-mapping.dmp

Download
memory/3020-6-0x0000000000000000-mapping.dmp

Download
memory/3900-14-0x0000000000000000-mapping.dmp

Download
memory/4116-4-0x0000000000000000-mapping.dmp

Download
memory/4200-5-0x0000000000000000-mapping.dmp

Download
memory/4300-7-0x0000000000000000-mapping.dmp

Download
memory/4368-8-0x0000000000000000-mapping.dmp

Download
memory/4588-15-0x0000000000000000-mapping.dmp

Download
memory/4644-0-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/5104-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads