Overview

overview

10

Static

static

DCQPKX.bin

windows7_x64

10

DCQPKX.bin

windows10_x64

10

Resubmissions

19/01/2023, 17:08

230119-vnk9xsgf64 4

04/12/2021, 17:54

211204-wg7d9abdeq 10

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    04/12/2021, 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCQPKX.bin

  • Size

    118KB

  • MD5

    10f237e6da56cf46bfd0ea8c22544bee

  • SHA1

    d83d7974796fd286f24dd606cf11b444ca55e249

  • SHA256

    6f4c49af2816b18488a1f4e2c08380c719df849c7030652e4971332ba3100927

  • SHA512

    834b6c9b3cfe740c3c0560f974e399d9efd2ca4586580bf148a43285b2cc4c0ad21ed05869587143be448f6fb42fa4b8dea9f2a2c585c4bfb77ba8056130c1ab

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      C:\Users\Admin\AppData\Local\Temp\DCQPKX.bin
      2⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Program Files\System32\Argos.exe
        "C:\Program Files\System32\Argos.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3848-116-0x0000000000060000-0x0000000000061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3848-118-0x000000001AD20000-0x000000001AD22000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4632-122-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4632-126-0x000000001B264000-0x000000001B265000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4632-125-0x000000001B262000-0x000000001B264000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4632-124-0x000000001B260000-0x000000001B262000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4632-129-0x000000001B265000-0x000000001B267000-memory.dmp

    Filesize

    8KB

    Download