Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
aaa8ae0f89bde2fc6451b82db2141362.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
aaa8ae0f89bde2fc6451b82db2141362.exe
Resource
win10v2004-20231222-en
General
-
Target
aaa8ae0f89bde2fc6451b82db2141362.exe
-
Size
248KB
-
MD5
aaa8ae0f89bde2fc6451b82db2141362
-
SHA1
2e42d25788f065e9416fdeb7e33c3dbfa21bbd44
-
SHA256
42d498fc9985f478cc9045a7e6f72062d4c7d30ede5c4d6b1c2ce2ad58aeeded
-
SHA512
ef7371607ca9a1c79c89e8ffafe2fc71ad3d6fb0fd273fd206f2d45ec932663ef3bfffbfe913871d2b6f07f38ffbeb71128951830ffa21f430aa8171f3a47172
-
SSDEEP
3072:9JwSW42t0z43JOFQfOTbjaoL7mZW0h/tlVu/T8cLBZ:9JjW42t0z43JOFQfOO
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gwquey.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation aaa8ae0f89bde2fc6451b82db2141362.exe -
Executes dropped EXE 1 IoCs
pid Process 3624 gwquey.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /L" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /o" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /M" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /u" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /Q" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /F" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /v" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /l" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /t" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /B" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /b" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /m" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /w" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /A" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /G" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /S" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /V" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /p" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /Y" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /H" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /q" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /n" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /y" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /I" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /h" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /e" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /N" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /W" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /D" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /f" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /z" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /J" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /C" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /K" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /T" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /d" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /k" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /j" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /s" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /P" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /X" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /O" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /U" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /E" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /g" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /c" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /i" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /R" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /a" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /Z" gwquey.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gwquey = "C:\\Users\\Admin\\gwquey.exe /x" gwquey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe 3624 gwquey.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2372 aaa8ae0f89bde2fc6451b82db2141362.exe 3624 gwquey.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 3624 2372 aaa8ae0f89bde2fc6451b82db2141362.exe 92 PID 2372 wrote to memory of 3624 2372 aaa8ae0f89bde2fc6451b82db2141362.exe 92 PID 2372 wrote to memory of 3624 2372 aaa8ae0f89bde2fc6451b82db2141362.exe 92 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56 PID 3624 wrote to memory of 2372 3624 gwquey.exe 56
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaa8ae0f89bde2fc6451b82db2141362.exe"C:\Users\Admin\AppData\Local\Temp\aaa8ae0f89bde2fc6451b82db2141362.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\gwquey.exe"C:\Users\Admin\gwquey.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD53fcb3338099491701f282c4a46de9ebc
SHA14aa696034961502a84401d9cf9bba5fe90132448
SHA256e178df541b5285f7345879a31b0e90e8cae67211199bda4d96638d537c9f8170
SHA51254331bb7e0ce49be8708bce13091cebcfd351d6a40756dad978c98a1cbac3dd6fb979a733db77c7c3181c35c4339039c692779632be5651078ec4b0069fe71de