Overview

overview

10

Static

static

DCQPKX.bin

windows7_x64

10

DCQPKX.bin

windows10_x64

10

Resubmissions

19-01-2023 17:08

230119-vnk9xsgf64 4

04-12-2021 17:54

211204-wg7d9abdeq 10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    04-12-2021 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCQPKX.bin

  • Size

    118KB

  • MD5

    10f237e6da56cf46bfd0ea8c22544bee

  • SHA1

    d83d7974796fd286f24dd606cf11b444ca55e249

  • SHA256

    6f4c49af2816b18488a1f4e2c08380c719df849c7030652e4971332ba3100927

  • SHA512

    834b6c9b3cfe740c3c0560f974e399d9efd2ca4586580bf148a43285b2cc4c0ad21ed05869587143be448f6fb42fa4b8dea9f2a2c585c4bfb77ba8056130c1ab

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      2⤵
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files\System32\Argos.exe
        "C:\Program Files\System32\Argos.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 836 -s 780
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:108
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WriteUninstall.htm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\System32\Argos.exe
    MD5

    85149ce849c4468a1cd6179c88814de2

    SHA1

    44099a40b7af2da7e7435d62de84589813580178

    SHA256

    7bb72f6d4ea8c4008bf51cc0817db28cbf18bdaa3862509d6aa0f842d7822daf

    SHA512

    d3b1d7a0bded732c51f838116a66d7ae361f1a9c785a1b4ae774b512199182588e12c2489ee75785b291455f87e2dc3a3d1cb92b00c8cb0ce0e60db86cd74272

    Download Submit
  • C:\Program Files\System32\Argos.exe
    MD5

    85149ce849c4468a1cd6179c88814de2

    SHA1

    44099a40b7af2da7e7435d62de84589813580178

    SHA256

    7bb72f6d4ea8c4008bf51cc0817db28cbf18bdaa3862509d6aa0f842d7822daf

    SHA512

    d3b1d7a0bded732c51f838116a66d7ae361f1a9c785a1b4ae774b512199182588e12c2489ee75785b291455f87e2dc3a3d1cb92b00c8cb0ce0e60db86cd74272

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    acaeda60c79c6bcac925eeb3653f45e0

    SHA1

    2aaae490bcdaccc6172240ff1697753b37ac5578

    SHA256

    6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

    SHA512

    feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    a364698f173b591caff462baccd45635

    SHA1

    dcb4e589eef3d1bf4b0f6816357f644f89df5502

    SHA256

    bb17758b7202efff4be2f2ba9512a05680e5d8146916e55a3ec43ad924f8046a

    SHA512

    d6358ebe8364670da04e97062aff73da990564aec2157cdb2286fddbb508227b41aebe750679169063128ab88e920d49d638fdc0db2b1e03b300769304e5c3a4

    Download Submit
  • C:\Users\Admin\Desktop\._cache_ARGOS.exe
    MD5

    8ed6556cd7f9533c8c2657eb0250219b

    SHA1

    a2e40c11b14efe1d8c1b4e602e6257b4545fd95e

    SHA256

    0067207bcaeba1d05b5a6d985f93fecd33c4d091825a30a60e6757e56c07f2b0

    SHA512

    6d9186ea6674ba1c9a1ea9fa036196fd764e9c41e149fd884529dd6bc21ba9bcd132689050a0a229af1055d35617e23fad3c11feac8f5f51e8531c195f9191bc

    Download Submit
  • C:\Users\Admin\Desktop\README.txt
    MD5

    8b3e49acf59c25c4bc99e11fe8e06f21

    SHA1

    20f1b205454871df2862cda882bd6150a97823ec

    SHA256

    3f618be70b390efbbffc37ebda76d8ae1e48155be72ff796d187c7891754875b

    SHA512

    a0026bacecd0b6f8b7efc5d87c1f10ced199d76b3cd4c29dc31f330d9582db350b052551ad7c215483147b89435c521cabbc2fc663433c72725c792ba9ce1c6f

    Download Submit
  • memory/108-70-0x0000000000000000-mapping.dmp
    Download
  • memory/108-72-0x0000000001D70000-0x0000000001D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/108-71-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/572-56-0x0000000001380000-0x0000000001381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/572-58-0x000000001A840000-0x000000001A842000-memory.dmp
    Filesize

    8KB

    Download
  • memory/572-55-0x0000000000000000-mapping.dmp
    Download
  • memory/836-65-0x00000000006E6000-0x0000000000705000-memory.dmp
    Filesize

    124KB

    Download
  • memory/836-67-0x0000000000705000-0x0000000000706000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-64-0x00000000006E0000-0x00000000006E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/836-62-0x0000000000B00000-0x0000000000B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/836-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-69-0x0000000000000000-mapping.dmp
    Download