Analysis
-
max time kernel
152s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 15:13
Static task
static1
Behavioral task
behavioral1
Sample
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
Resource
win10v2004-20220901-en
General
-
Target
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe
-
Size
500KB
-
MD5
2ac9e60e9e4770c8fcfb4c87a38bdc13
-
SHA1
0e7812057990cef7a6fe6b06037d0e54700d08bb
-
SHA256
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30
-
SHA512
c10b261725b291ed8aadfa80ba8302e8fd8c6ca2ccbf3702f650df9b44bc8626468f818cf099f5379042c2483ae629bca5a3a96a0f246181704afe9dceb2c718
-
SSDEEP
6144:hLPe67l7q1fcC3P2uYDEDEkBQGcxjgBSIEFDiKexjyFWnffPW:hbe6ZCcapYEDiWEF2KWVff+
Malware Config
Extracted
pony
http://indianmoneybag.in/wp-content/themes/twentythirteen/obi/Panel/gate.php
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
NQXLL.exefire.exeNQXLL.exefire.exepid process 3552 NQXLL.exe 1096 fire.exe 1212 NQXLL.exe 5080 fire.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NQXLL.exe upx behavioral2/memory/3552-137-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\NQXLL.exe upx behavioral2/memory/3552-147-0x0000000000400000-0x000000000041D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\NQXLL.exe upx C:\Users\Admin\AppData\Local\Temp\NQXLL.exe upx behavioral2/memory/1212-162-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exeNQXLL.exefire.exeNQXLL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation NQXLL.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation fire.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation NQXLL.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
NQXLL.exeNQXLL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts NQXLL.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts NQXLL.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
NQXLL.exeNQXLL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NQXLL.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NQXLL.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fire.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run fire.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\Currentversion\Run fire.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nuatoq = "C:\\Users\\Admin\\AppData\\Roaming\\Uhic\\fire.exe" fire.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exefire.exeNQXLL.exedescription pid process target process PID 400 set thread context of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 1096 set thread context of 5080 1096 fire.exe fire.exe PID 1212 set thread context of 4448 1212 NQXLL.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
NQXLL.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Privacy NQXLL.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" NQXLL.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
fire.exepid process 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe 5080 fire.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
NQXLL.exea980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exeNQXLL.exedescription pid process Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeSecurityPrivilege 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe Token: SeSecurityPrivilege 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeImpersonatePrivilege 3552 NQXLL.exe Token: SeTcbPrivilege 3552 NQXLL.exe Token: SeChangeNotifyPrivilege 3552 NQXLL.exe Token: SeCreateTokenPrivilege 3552 NQXLL.exe Token: SeBackupPrivilege 3552 NQXLL.exe Token: SeRestorePrivilege 3552 NQXLL.exe Token: SeIncreaseQuotaPrivilege 3552 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 3552 NQXLL.exe Token: SeImpersonatePrivilege 1212 NQXLL.exe Token: SeTcbPrivilege 1212 NQXLL.exe Token: SeChangeNotifyPrivilege 1212 NQXLL.exe Token: SeCreateTokenPrivilege 1212 NQXLL.exe Token: SeBackupPrivilege 1212 NQXLL.exe Token: SeRestorePrivilege 1212 NQXLL.exe Token: SeIncreaseQuotaPrivilege 1212 NQXLL.exe Token: SeAssignPrimaryTokenPrivilege 1212 NQXLL.exe Token: SeSecurityPrivilege 1212 NQXLL.exe Token: SeSecurityPrivilege 1212 NQXLL.exe Token: SeImpersonatePrivilege 1212 NQXLL.exe Token: SeTcbPrivilege 1212 NQXLL.exe Token: SeChangeNotifyPrivilege 1212 NQXLL.exe Token: SeCreateTokenPrivilege 1212 NQXLL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exea980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exeNQXLL.exefire.exefire.exedescription pid process target process PID 400 wrote to memory of 3552 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe NQXLL.exe PID 400 wrote to memory of 3552 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe NQXLL.exe PID 400 wrote to memory of 3552 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe NQXLL.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 400 wrote to memory of 3772 400 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe PID 3772 wrote to memory of 1096 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe fire.exe PID 3772 wrote to memory of 1096 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe fire.exe PID 3772 wrote to memory of 1096 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe fire.exe PID 3552 wrote to memory of 5040 3552 NQXLL.exe cmd.exe PID 3552 wrote to memory of 5040 3552 NQXLL.exe cmd.exe PID 3552 wrote to memory of 5040 3552 NQXLL.exe cmd.exe PID 1096 wrote to memory of 1212 1096 fire.exe NQXLL.exe PID 1096 wrote to memory of 1212 1096 fire.exe NQXLL.exe PID 1096 wrote to memory of 1212 1096 fire.exe NQXLL.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 1096 wrote to memory of 5080 1096 fire.exe fire.exe PID 5080 wrote to memory of 2336 5080 fire.exe sihost.exe PID 5080 wrote to memory of 2336 5080 fire.exe sihost.exe PID 5080 wrote to memory of 2336 5080 fire.exe sihost.exe PID 5080 wrote to memory of 2336 5080 fire.exe sihost.exe PID 5080 wrote to memory of 2336 5080 fire.exe sihost.exe PID 5080 wrote to memory of 2360 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2360 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2360 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2360 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2360 5080 fire.exe svchost.exe PID 3772 wrote to memory of 4688 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe cmd.exe PID 3772 wrote to memory of 4688 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe cmd.exe PID 3772 wrote to memory of 4688 3772 a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe cmd.exe PID 5080 wrote to memory of 2464 5080 fire.exe taskhostw.exe PID 5080 wrote to memory of 2464 5080 fire.exe taskhostw.exe PID 5080 wrote to memory of 2464 5080 fire.exe taskhostw.exe PID 5080 wrote to memory of 2464 5080 fire.exe taskhostw.exe PID 5080 wrote to memory of 2464 5080 fire.exe taskhostw.exe PID 5080 wrote to memory of 2440 5080 fire.exe Explorer.EXE PID 5080 wrote to memory of 2440 5080 fire.exe Explorer.EXE PID 5080 wrote to memory of 2440 5080 fire.exe Explorer.EXE PID 5080 wrote to memory of 2440 5080 fire.exe Explorer.EXE PID 5080 wrote to memory of 2440 5080 fire.exe Explorer.EXE PID 5080 wrote to memory of 2740 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2740 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2740 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2740 5080 fire.exe svchost.exe PID 5080 wrote to memory of 2740 5080 fire.exe svchost.exe PID 5080 wrote to memory of 3252 5080 fire.exe DllHost.exe PID 5080 wrote to memory of 3252 5080 fire.exe DllHost.exe PID 5080 wrote to memory of 3252 5080 fire.exe DllHost.exe PID 5080 wrote to memory of 3252 5080 fire.exe DllHost.exe PID 5080 wrote to memory of 3252 5080 fire.exe DllHost.exe PID 5080 wrote to memory of 3356 5080 fire.exe StartMenuExperienceHost.exe PID 5080 wrote to memory of 3356 5080 fire.exe StartMenuExperienceHost.exe PID 5080 wrote to memory of 3356 5080 fire.exe StartMenuExperienceHost.exe -
outlook_win_path 1 IoCs
Processes:
NQXLL.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook NQXLL.exe
Processes
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"C:\Users\Admin\AppData\Local\Temp\a980c417bb69ab4ad13eb5792293b368619983e3d6688aefa38f1d7009b8cd30.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240625500.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"C:\Users\Admin\AppData\Roaming\Uhic\fire.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6ce3c868.bat"4⤵
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"C:\Users\Admin\AppData\Local\Temp\NQXLL.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240605437.bat" "C:\Users\Admin\AppData\Local\Temp\NQXLL.exe" "4⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240605437.batFilesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\NQXLL.exeFilesize
34KB
MD5584c952a93d0c0794d52d481bf2991c2
SHA167d2b0d1e7d135054d4c1fc057c7fb5c784aa524
SHA256e5ba35f40059abd42e0df99509749f7654f39859ab704e9a02fef1ec5ed7f9a3
SHA51246ede591d55e8e664f803e8e0b76970a80be74fb95b98139ebcfa6ad9dda8dc43e1ba8d094287bb5ab0194ebb9adb1bf8cf94145f28815357c25110d049ce380
-
C:\Users\Admin\AppData\Local\Temp\tmp6ce3c868.batFilesize
307B
MD5a01f2ea8cce5364df498097004e87e85
SHA1def9fc4f0439cea6e1043dfc8f442c9f028cb64e
SHA256c6dd1f743c7d8dbb700164606eaf58a0ab8369ab08b76f06dd161c07dc4e1083
SHA512c0f530af19c5773680b33c8d5549879daf20f12410e7e50f4e3e25dd3adee3461cd0da4e9f4bd963d67e5cc3ff3d49b55c7aff7ec4395595c6fc38beb8f96cbb
-
C:\Users\Admin\AppData\Roaming\Bate\xauzt.ukeFilesize
2KB
MD566ec21eda37e12a4253e28d702677285
SHA1f0c7af05ee041404f5411a4e007b729940b32a8b
SHA256b69e5670370385b1d94c94ac49f13eed4975ef28cf50ba82aca2fc6a4a0dd178
SHA5123f4e7d7ea2df5dc3922727c80b8f7c0ee79060fb8de33795debcdd748bff652d2d447c195cc00f1455a441e268228aa79e2934b022c02af3c790d059ffb20017
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
C:\Users\Admin\AppData\Roaming\Uhic\fire.exeFilesize
500KB
MD53f87a907fdeb434075675a3208f1d990
SHA16df1746ad105c433795791b8a4b42201f090fefc
SHA2565a62eacbc28b772c1b3a30440dcae55bd992378711a9effd6185e4f2e9521851
SHA5128875bc0980fed2528db9241996794abc8f197596142f119b593215304799f506bbb6e47f6ffe4a617820cee034da7df24e3a23b33fee1921b8eb4a61a4fee463
-
memory/1096-142-0x0000000000000000-mapping.dmp
-
memory/1212-161-0x00000000020E0000-0x000000000211B000-memory.dmpFilesize
236KB
-
memory/1212-162-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1212-167-0x00000000020E0000-0x000000000211B000-memory.dmpFilesize
236KB
-
memory/1212-149-0x0000000000000000-mapping.dmp
-
memory/3552-132-0x0000000000000000-mapping.dmp
-
memory/3552-137-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3552-147-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3772-139-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-141-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-140-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-145-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-157-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-159-0x0000000001450000-0x000000000148B000-memory.dmpFilesize
236KB
-
memory/3772-136-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-138-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/3772-135-0x0000000000000000-mapping.dmp
-
memory/4448-165-0x0000000000000000-mapping.dmp
-
memory/4448-166-0x0000000000C10000-0x0000000000C4B000-memory.dmpFilesize
236KB
-
memory/4448-168-0x0000000000C10000-0x0000000000C4B000-memory.dmpFilesize
236KB
-
memory/4688-156-0x0000000000000000-mapping.dmp
-
memory/5040-146-0x0000000000000000-mapping.dmp
-
memory/5080-151-0x0000000000000000-mapping.dmp
-
memory/5080-163-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/5080-169-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB