Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 11:38
Static task
static1
Behavioral task
behavioral1
Sample
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
Resource
win10-en-20210920
General
-
Target
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
-
Size
52KB
-
MD5
28945b625617cfdcc444b428de0a7a00
-
SHA1
9cab670cd0d11e901cdb3f197aa18f1a6e2930ba
-
SHA256
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
-
SHA512
eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
q4wc:exeJpci0xA.exejF1JK:exepid process 928 q4wc:exe 1296 Jpci0xA.exe 3700 jF1JK:exe -
Deletes itself 1 IoCs
Processes:
q4wc:exepid process 928 q4wc:exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\iwSKn7iwqR = "C:\\Users\\Admin\\AppData\\Local\\KOPoz7\\pGOFbz.exe" 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
jF1JK:exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI jF1JK:exe -
Drops file in Program Files directory 64 IoCs
Processes:
jF1JK:exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms jF1JK:exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInRefocus.scale-100.png jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png jF1JK:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\ui-strings.js.locked jF1JK:exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.readme_txt jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll.readme_txt jF1JK:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf.readme_txt jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js jF1JK:exe File created C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_de.dll.readme_txt jF1JK:exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms jF1JK:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.readme_txt jF1JK:exe File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialLetter.dotx.readme_txt jF1JK:exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt.readme_txt jF1JK:exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.WINWORD.16.1033.hxn.locked jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\SLATE.INF.locked jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256_altform-unplated.png jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js jF1JK:exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.locked jF1JK:exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\fontmanager.dll.readme_txt jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-100_contrast-white.png jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_13c.png jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.locked jF1JK:exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll jF1JK:exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll.readme_txt jF1JK:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.readme_txt jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ro_get.svg.readme_txt jF1JK:exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll jF1JK:exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\vlc.mo.locked jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png jF1JK:exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll.locked jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms jF1JK:exe File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.readme_txt jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.ELM jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png jF1JK:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\ui-strings.js.locked jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.locked jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg.readme_txt jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll jF1JK:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.locked jF1JK:exe File opened for modification C:\Program Files\NewComplete.xla.locked jF1JK:exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms.readme_txt jF1JK:exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.readme_txt jF1JK:exe File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.readme_txt jF1JK:exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js.locked jF1JK:exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdatl3.dll jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.readme_txt jF1JK:exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar.readme_txt jF1JK:exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dcpr.dll jF1JK:exe File created C:\Program Files\Java\jre1.8.0_66\bin\t2k.dll.locked jF1JK:exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\xlsrvintl.dll.readme_txt jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png jF1JK:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.locked jF1JK:exe File opened for modification C:\Program Files\Java\jre1.8.0_66\LICENSE jF1JK:exe File opened for modification C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.locked jF1JK:exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fi_get.svg.readme_txt jF1JK:exe File opened for modification C:\Program Files\UpdateExit.xlt.readme_txt jF1JK:exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.readme_txt jF1JK:exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40.png jF1JK:exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml jF1JK:exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
Processes:
Jpci0xA.exe282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Local\jF1JK:exe Jpci0xA.exe File created C:\Users\Admin\AppData\Local\q4wc:exe 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2612 taskmgr.exe Token: SeSystemProfilePrivilege 2612 taskmgr.exe Token: SeCreateGlobalPrivilege 2612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.execmd.exeq4wc:exeJpci0xA.exedescription pid process target process PID 2432 wrote to memory of 1088 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 2432 wrote to memory of 1088 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 2432 wrote to memory of 1088 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe cmd.exe PID 2432 wrote to memory of 928 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe q4wc:exe PID 2432 wrote to memory of 928 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe q4wc:exe PID 2432 wrote to memory of 928 2432 282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe q4wc:exe PID 1088 wrote to memory of 1296 1088 cmd.exe Jpci0xA.exe PID 1088 wrote to memory of 1296 1088 cmd.exe Jpci0xA.exe PID 1088 wrote to memory of 1296 1088 cmd.exe Jpci0xA.exe PID 928 wrote to memory of 764 928 q4wc:exe net.exe PID 928 wrote to memory of 764 928 q4wc:exe net.exe PID 928 wrote to memory of 764 928 q4wc:exe net.exe PID 1296 wrote to memory of 3700 1296 Jpci0xA.exe jF1JK:exe PID 1296 wrote to memory of 3700 1296 Jpci0xA.exe jF1JK:exe PID 1296 wrote to memory of 3700 1296 Jpci0xA.exe jF1JK:exe PID 928 wrote to memory of 1696 928 q4wc:exe net.exe PID 928 wrote to memory of 1696 928 q4wc:exe net.exe PID 928 wrote to memory of 1696 928 q4wc:exe net.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe 22⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exeC:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe 23⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\jF1JK:exeC:\Users\Admin\AppData\Local\jF1JK:exe 3 C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\q4wc:exeC:\Users\Admin\AppData\Local\q4wc:exe 1 C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view \\RSSLLXYN3⤵
- Discovers systems in the same network
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\KOPoz7\pGOFbz.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\jF1JK:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\jF1JK:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q4wc:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
C:\Users\Admin\AppData\Local\q4wc:exeMD5
28945b625617cfdcc444b428de0a7a00
SHA19cab670cd0d11e901cdb3f197aa18f1a6e2930ba
SHA256282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636
SHA512eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d
-
memory/764-122-0x0000000000000000-mapping.dmp
-
memory/928-116-0x0000000000000000-mapping.dmp
-
memory/1088-115-0x0000000000000000-mapping.dmp
-
memory/1296-119-0x0000000000000000-mapping.dmp
-
memory/1696-126-0x0000000000000000-mapping.dmp
-
memory/3700-123-0x0000000000000000-mapping.dmp