Analysis Overview
SHA256
7d4a3ce8e269ef7635679fbb1502530c5d4b91d741be625d231fcfb9fb43f3e3
Threat Level: Known bad
The file 42355af7e650564732d94c7b60d0cfcb.bin was found to be: Known bad.
Malicious Activity Summary
SystemBC
UPX packed file
Checks computer location settings
Executes dropped EXE
Checks installed software on the system
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-11 01:12
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-11 01:12
Reported
2023-02-11 01:15
Platform
win7-20220812-en
Max time kernel
131s
Max time network
42s
Command Line
Signatures
SystemBC
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation | C:\ProgramData\rpcna\qdsna.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rpcna\qdsna.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\qdsna.job | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
| File opened for modification | C:\Windows\Tasks\qdsna.job | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 1808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\rpcna\qdsna.exe |
| PID 1916 wrote to memory of 1808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\rpcna\qdsna.exe |
| PID 1916 wrote to memory of 1808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\rpcna\qdsna.exe |
| PID 1916 wrote to memory of 1808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\rpcna\qdsna.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe
"C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FA747EDD-A83E-4644-8602-CA6C753A28FF} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
C:\ProgramData\rpcna\qdsna.exe
C:\ProgramData\rpcna\qdsna.exe start2
Network
Files
memory/1428-54-0x00000000754E1000-0x00000000754E3000-memory.dmp
memory/1428-55-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-56-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-57-0x00000000722F1000-0x00000000722F3000-memory.dmp
memory/1428-58-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1428-59-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1428-60-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-61-0x0000000002040000-0x0000000002048000-memory.dmp
C:\ProgramData\rpcna\qdsna.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/1808-63-0x0000000000000000-mapping.dmp
C:\ProgramData\rpcna\qdsna.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/1808-66-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1808-67-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1808-71-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1428-72-0x0000000000400000-0x0000000000471000-memory.dmp
memory/1808-73-0x0000000000400000-0x0000000000471000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-11 01:12
Reported
2023-02-11 01:15
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
SystemBC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\cchlmq\fjkt.exe | N/A |
| N/A | N/A | C:\ProgramData\cchlmq\fjkt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\fjkt.job | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
| File opened for modification | C:\Windows\Tasks\fjkt.job | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe
"C:\Users\Admin\AppData\Local\Temp\d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a.exe"
C:\ProgramData\cchlmq\fjkt.exe
C:\ProgramData\cchlmq\fjkt.exe start2
C:\ProgramData\cchlmq\fjkt.exe
C:\ProgramData\cchlmq\fjkt.exe start2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 67.26.109.254:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 20.189.173.10:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 52.109.12.19:443 | tcp | |
| US | 52.109.8.44:443 | tcp |
Files
memory/996-132-0x0000000000400000-0x0000000000471000-memory.dmp
memory/996-133-0x0000000000400000-0x0000000000471000-memory.dmp
memory/996-134-0x0000000000400000-0x0000000000471000-memory.dmp
memory/996-135-0x0000000000920000-0x0000000000ED3000-memory.dmp
memory/996-136-0x0000000000920000-0x0000000000ED3000-memory.dmp
C:\ProgramData\cchlmq\fjkt.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
C:\ProgramData\cchlmq\fjkt.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/3660-139-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3660-140-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3660-141-0x0000000002160000-0x0000000002168000-memory.dmp
memory/3660-142-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3660-143-0x0000000002160000-0x0000000002168000-memory.dmp
memory/996-144-0x0000000000400000-0x0000000000471000-memory.dmp
memory/3660-145-0x0000000000400000-0x0000000000471000-memory.dmp
C:\ProgramData\cchlmq\fjkt.exe
| MD5 | 42355af7e650564732d94c7b60d0cfcb |
| SHA1 | 57463c359b84421c21d4a8b4a0641164ee49d5d7 |
| SHA256 | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a |
| SHA512 | ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df |
memory/4160-147-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4160-148-0x0000000000400000-0x0000000000471000-memory.dmp
memory/4160-149-0x0000000000400000-0x0000000000471000-memory.dmp