f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe
Size

188KB
MD5

0098f761854680b5b528bee251d6650c
SHA1

cb0b87186060bfd023728bdadfb11991f0cbefff
SHA256

f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5
SHA512

d2bb339b9ce3d05ccd01f5926872959f1cf1c8e732511ef9b2d91a432c80030e49dbade3f36b10d15cff19010bbc8e52700c6918f9655aa356098f6e310e5a6c
SSDEEP

3072:hdWSzA6jVdOMIi6FJ2AeJ9CW1bzp2LFNCpCu0aYiAllp+BE+BC3K5eq4:hdWSzA65dO39Whp2LbCpCu0diAlfckK8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
380	dqgqlz.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\ndqgq	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ndqgq	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	dqgqlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\ndqgq\\command	dqgqlz.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1408	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 5080	1232	f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe	83
PID 1232 wrote to memory of 5080	1232	f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe	83
PID 1232 wrote to memory of 5080	1232	f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe	83
PID 5080 wrote to memory of 380	5080	cmd.exe	85
PID 5080 wrote to memory of 380	5080	cmd.exe	85
PID 5080 wrote to memory of 380	5080	cmd.exe	85
PID 5080 wrote to memory of 1408	5080	cmd.exe	86
PID 5080 wrote to memory of 1408	5080	cmd.exe	86
PID 5080 wrote to memory of 1408	5080	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe
"C:\Users\Admin\AppData\Local\Temp\f62147822f05a0b69559a18c79719b24b4e8a27db8e371008a8a2c5b9d6994d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zkkjzpe.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\dqgqlz.exe
    "C:\Users\Admin\AppData\Local\Temp\dqgqlz.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:380
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dqgqlz.exe

Filesize
140KB

MD5
e8758caf3c003612e7eca100de288687

SHA1
3c2e8149b11c7d5882281db20d265f76557f0f9f

SHA256
c769030a26c7326fa994a889158d32a5fc76b6649628d6d7bf90acb0f1aab3be

SHA512
7b7b7803b71bc1fbf448734b304bbfda1f9137c32dfe1659c88075072f183b465ab9c864ed90be16a4eda7517fd89152c7c155938eefaddf4ced74cbcecb6255

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqgqlz.exe

Filesize
140KB

MD5
e8758caf3c003612e7eca100de288687

SHA1
3c2e8149b11c7d5882281db20d265f76557f0f9f

SHA256
c769030a26c7326fa994a889158d32a5fc76b6649628d6d7bf90acb0f1aab3be

SHA512
7b7b7803b71bc1fbf448734b304bbfda1f9137c32dfe1659c88075072f183b465ab9c864ed90be16a4eda7517fd89152c7c155938eefaddf4ced74cbcecb6255

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmetun.bat

Filesize
188B

MD5
90ddfde449fc51d5d34e6cb9291e79a5

SHA1
0e9ced337b666cf5fd6f78a34bded737ef65ae19

SHA256
e00c4d8abdc62f8d3b13f447fe6bae58037a1e6a53e5f2389071de57992c79e6

SHA512
1cc437c9ea0b330ab98a70c614d649411bc8e356eaf04b31d89469bff2758ee6735e1503fa917f189925112a845eb3e218c44d6793db19744de92e0a3f311204

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkkjzpe.bat

Filesize
124B

MD5
70eb06673ac11e77b8e85c91a172d45f

SHA1
2b167c96e21ef993bcea89c0559b712030e534ec

SHA256
121ca93a2e56ee738c3a84a6317d855c635b81d9ff6c52a3a1caa78572e62fd0

SHA512
be995a0c97a38822386322f44058ae8a9df6a2feaca9ad848956010c15ae1ce840d705721c72cb82a0564cdc83a65bd958f11f29d1807cf5fbaff0b7f7a7d5ef

Download Submit