7036ed188f3d088b46d3d8983932c052ef5bf8163038d28eecc2d783d612c1d6

Analysis

max time kernel
142s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
05-10-2023 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DQHV_Fac5467turaMGVGIYVGIEYE.exe
Size

111.4MB
MD5

8ca18f31db0e5051f432050162f94cfe
SHA1

e253a86c409028ffff9eee91290b32d928be406c
SHA256

ee16ef68cb18e216151f6348a36c785cb42379647e8f2028746850b405d5e342
SHA512

2945e64f03e669750534b215e8c9969f012981e5c8677822b90834de829d4547b0334d527825f08b6a8a53afafbb04e69868d19bce8188e88140d102bd4640fa
SSDEEP

196608:YDrr+RXNIIaG0t7361wZ8RNWqRXXmYgz1NW07AkH0GJv4+n:crrgdJa/3FZ8RNWOXr818CfJws

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	DQHV_Fac5467turaMGVGIYVGIEYE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DQHV_Fac5467turaMGVGIYVGIEYE.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	DQHV_Fac5467turaMGVGIYVGIEYE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DQHV_Fac5467turaMGVGIYVGIEYE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DQHV_Fac5467turaMGVGIYVGIEYE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DQHV_Fac5467turaMGVGIYVGIEYE.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	DQHV_Fac5467turaMGVGIYVGIEYE.exe

C:\Users\Admin\AppData\Local\Temp\DQHV_Fac5467turaMGVGIYVGIEYE.exe
"C:\Users\Admin\AppData\Local\Temp\DQHV_Fac5467turaMGVGIYVGIEYE.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2800-0-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2800-1-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download
memory/2800-2-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download
memory/2800-3-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download
memory/2800-4-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2800-5-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download
memory/2800-6-0x00000000005D0000-0x00000000015D0000-memory.dmp

Filesize
16.0MB

Download
memory/2800-7-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download
memory/2800-8-0x00000000005D0000-0x00000000015D0000-memory.dmp

Filesize
16.0MB

Download
memory/2800-9-0x00000000005D0000-0x00000000015D0000-memory.dmp

Filesize
16.0MB

Download
memory/2800-10-0x0000000076EB0000-0x0000000077050000-memory.dmp

Filesize
1.6MB

Download