687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

General

Target

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
Size

100KB
MD5

e1b7edc7b64d3658dc80ff55416b0c13
SHA1

dce6acf0d134a7b9a59302624264083a43e0e292
SHA256

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b
SHA512

6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winqicm.exe

pid	Process
908	winqicm.exe

Loads dropped DLL 2 IoCs

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

pid	Process
1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\3765310510651712\\winqicm.exe"	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update 495955904 = "C:\\Windows\\3765310510651712\\winqicm.exe"	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

Drops file in Windows directory 3 IoCs

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	ioc	Process
File created	C:\Windows\3765310510651712\winqicm.exe	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
File opened for modification	C:\Windows\3765310510651712\winqicm.exe	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
File opened for modification	C:\Windows\3765310510651712	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe

description	pid	Process	procid_target
PID 1240 wrote to memory of 908	1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	27
PID 1240 wrote to memory of 908	1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	27
PID 1240 wrote to memory of 908	1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	27
PID 1240 wrote to memory of 908	1240	687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe	27

C:\Users\Admin\AppData\Local\Temp\687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe
"C:\Users\Admin\AppData\Local\Temp\687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\3765310510651712\winqicm.exe
  C:\Windows\3765310510651712\winqicm.exe
  2⤵
  - Executes dropped EXE
  PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\3765310510651712\winqicm.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
\Windows\3765310510651712\winqicm.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
\Windows\3765310510651712\winqicm.exe

Filesize
100KB

MD5
e1b7edc7b64d3658dc80ff55416b0c13

SHA1
dce6acf0d134a7b9a59302624264083a43e0e292

SHA256
687d3e649b6ba09bc072fcb69ef751b729983dcdbecfb4da7f0d8b2c509c196b

SHA512
6b86abf8505edfe5e428cb3c3128fa9dd65e4d8bdc0c4b1e1f951733fce66d25e8929150137d2454f77332dc96f6be326a9f9ffe309899fa7ebb731e73f24f81

Download Submit
memory/908-60-0x0000000000000000-mapping.dmp

Download
memory/908-62-0x0000000000542000-0x0000000000547000-memory.dmp

Filesize
20KB

Download
memory/908-64-0x0000000000542000-0x0000000000547000-memory.dmp

Filesize
20KB

Download
memory/908-65-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/1240-54-0x0000000000622000-0x0000000000627000-memory.dmp

Filesize
20KB

Download
memory/1240-55-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1240-56-0x0000000000622000-0x0000000000627000-memory.dmp

Filesize
20KB

Download
memory/1240-57-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads