Overview

overview

10

Static

static

DCQPKX.bin

windows7_x64

10

DCQPKX.bin

windows10_x64

10

Resubmissions

19-01-2023 17:08

230119-vnk9xsgf64 4

04-12-2021 17:54

211204-wg7d9abdeq 10

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    04-12-2021 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCQPKX.bin

  • Size

    118KB

  • MD5

    10f237e6da56cf46bfd0ea8c22544bee

  • SHA1

    d83d7974796fd286f24dd606cf11b444ca55e249

  • SHA256

    6f4c49af2816b18488a1f4e2c08380c719df849c7030652e4971332ba3100927

  • SHA512

    834b6c9b3cfe740c3c0560f974e399d9efd2ca4586580bf148a43285b2cc4c0ad21ed05869587143be448f6fb42fa4b8dea9f2a2c585c4bfb77ba8056130c1ab

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Program Files\System32\Argos.exe
        "C:\Program Files\System32\Argos.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\System32\Argos.exe
    MD5

    85149ce849c4468a1cd6179c88814de2

    SHA1

    44099a40b7af2da7e7435d62de84589813580178

    SHA256

    7bb72f6d4ea8c4008bf51cc0817db28cbf18bdaa3862509d6aa0f842d7822daf

    SHA512

    d3b1d7a0bded732c51f838116a66d7ae361f1a9c785a1b4ae774b512199182588e12c2489ee75785b291455f87e2dc3a3d1cb92b00c8cb0ce0e60db86cd74272

    Download Submit
  • C:\Program Files\System32\Argos.exe
    MD5

    85149ce849c4468a1cd6179c88814de2

    SHA1

    44099a40b7af2da7e7435d62de84589813580178

    SHA256

    7bb72f6d4ea8c4008bf51cc0817db28cbf18bdaa3862509d6aa0f842d7822daf

    SHA512

    d3b1d7a0bded732c51f838116a66d7ae361f1a9c785a1b4ae774b512199182588e12c2489ee75785b291455f87e2dc3a3d1cb92b00c8cb0ce0e60db86cd74272

    Download Submit
  • C:\Users\Admin\Desktop\._cache_ARGOS.exe
    MD5

    8ed6556cd7f9533c8c2657eb0250219b

    SHA1

    a2e40c11b14efe1d8c1b4e602e6257b4545fd95e

    SHA256

    0067207bcaeba1d05b5a6d985f93fecd33c4d091825a30a60e6757e56c07f2b0

    SHA512

    6d9186ea6674ba1c9a1ea9fa036196fd764e9c41e149fd884529dd6bc21ba9bcd132689050a0a229af1055d35617e23fad3c11feac8f5f51e8531c195f9191bc

    Download Submit
  • C:\Users\Admin\Desktop\README.txt
    MD5

    8b3e49acf59c25c4bc99e11fe8e06f21

    SHA1

    20f1b205454871df2862cda882bd6150a97823ec

    SHA256

    3f618be70b390efbbffc37ebda76d8ae1e48155be72ff796d187c7891754875b

    SHA512

    a0026bacecd0b6f8b7efc5d87c1f10ced199d76b3cd4c29dc31f330d9582db350b052551ad7c215483147b89435c521cabbc2fc663433c72725c792ba9ce1c6f

    Download Submit
  • memory/3848-116-0x0000000000060000-0x0000000000061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3848-118-0x000000001AD20000-0x000000001AD22000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3848-115-0x0000000000000000-mapping.dmp
    Download
  • memory/4632-122-0x0000000000630000-0x0000000000631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4632-126-0x000000001B264000-0x000000001B265000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4632-125-0x000000001B262000-0x000000001B264000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4632-124-0x000000001B260000-0x000000001B262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4632-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4632-129-0x000000001B265000-0x000000001B267000-memory.dmp
    Filesize

    8KB

    Download