Resubmissions

19/01/2023, 17:08

230119-vnk9xsgf64 4

04/12/2021, 17:54

211204-wg7d9abdeq 10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    04/12/2021, 17:54

General

  • Target

    DCQPKX.bin

  • Size

    118KB

  • MD5

    10f237e6da56cf46bfd0ea8c22544bee

  • SHA1

    d83d7974796fd286f24dd606cf11b444ca55e249

  • SHA256

    6f4c49af2816b18488a1f4e2c08380c719df849c7030652e4971332ba3100927

  • SHA512

    834b6c9b3cfe740c3c0560f974e399d9efd2ca4586580bf148a43285b2cc4c0ad21ed05869587143be448f6fb42fa4b8dea9f2a2c585c4bfb77ba8056130c1ab

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      2⤵
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files\System32\Argos.exe
        "C:\Program Files\System32\Argos.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 836 -s 780
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:108
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WriteUninstall.htm
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/108-72-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/108-71-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

    Filesize

    8KB

  • memory/572-56-0x0000000001380000-0x0000000001381000-memory.dmp

    Filesize

    4KB

  • memory/572-58-0x000000001A840000-0x000000001A842000-memory.dmp

    Filesize

    8KB

  • memory/836-65-0x00000000006E6000-0x0000000000705000-memory.dmp

    Filesize

    124KB

  • memory/836-67-0x0000000000705000-0x0000000000706000-memory.dmp

    Filesize

    4KB

  • memory/836-64-0x00000000006E0000-0x00000000006E2000-memory.dmp

    Filesize

    8KB

  • memory/836-62-0x0000000000B00000-0x0000000000B01000-memory.dmp

    Filesize

    4KB