6471c5190a99e3d1f337fcfef1fc410e8d487b66e093f924700e186cbd398dc0

Analysis

max time kernel
142s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 10:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PortQryV2.exe
Size

147KB
MD5

8989182873e865e4d04fbc3c87e2f520
SHA1

015612749867d3a91af13aefb138e2db89eff227
SHA256

6471c5190a99e3d1f337fcfef1fc410e8d487b66e093f924700e186cbd398dc0
SHA512

4c29b16d864bf42727b01edc6c8ccb01568b0db192386b1ae3cf6bf4dc6d9d82a79cd6c86a0a67dde08128d2639968d65c83c915a7c81d3c6e735729b2fb41b5
SSDEEP

3072:RydJq5oyVzs+h0J05ieO4X/gsjnx9yr6AOWEQnYVDZILCIl3WSYgStb:kW2+POmYsz2UWHYHECGLHSh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1540	PORTQR~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PortQryV2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	PortQryV2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 1540	2828	PortQryV2.exe	85
PID 2828 wrote to memory of 1540	2828	PortQryV2.exe	85
PID 2828 wrote to memory of 1540	2828	PortQryV2.exe	85

C:\Users\Admin\AppData\Local\Temp\PortQryV2.exe
"C:\Users\Admin\AppData\Local\Temp\PortQryV2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PORTQR~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PORTQR~1.EXE
  2⤵
  - Executes dropped EXE
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PORTQR~1.EXE

Filesize
88KB

MD5
84bf1a69d5b301ddd97ff4f5b9384164

SHA1
f086a09f20f30904f1ecc44e1d75d8eb487f8902

SHA256
f2b523ca6d92f1f4db72a0bb86b911c12db51c894016a2a3acecc064f6324c8d

SHA512
0b5f664f08c6a9d2c8f9080e6306051972cadaab9d0b4ab3286af0fb633e98f681766ee52a50c28460d6b8f4f459bf0bd6ccb72736a06bd3e9f2ac00ac07d4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PORTQR~1.EXE

Filesize
88KB

MD5
84bf1a69d5b301ddd97ff4f5b9384164

SHA1
f086a09f20f30904f1ecc44e1d75d8eb487f8902

SHA256
f2b523ca6d92f1f4db72a0bb86b911c12db51c894016a2a3acecc064f6324c8d

SHA512
0b5f664f08c6a9d2c8f9080e6306051972cadaab9d0b4ab3286af0fb633e98f681766ee52a50c28460d6b8f4f459bf0bd6ccb72736a06bd3e9f2ac00ac07d4ed

Download Submit