Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
11/01/2024, 13:46
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ ETMT 009462900_pdf(58kb).exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
jjuhibpwa.ps1
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
jjuhibpwa.ps1
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
wnnqrg.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
wnnqrg.exe
Resource
win10v2004-20231222-en
General
-
Target
wnnqrg.exe
-
Size
62KB
-
MD5
ad65f79ab6bd2884461a198e1d77ef76
-
SHA1
f7ac4388da64c17f92f0c10803de57abad060bb9
-
SHA256
c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce
-
SHA512
7da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e
-
SSDEEP
1536:Px+QC21XgNhnNiBiSXM4dmxSxh1eKMNDYVmtM:PxdhgNhNiB7drx6KMNay
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\nnwsscxhhq = "C:\\Users\\Admin\\AppData\\Roaming\\irrbwwg\\plluqqyiie.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wnnqrg.exe\"" wnnqrg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1152 set thread context of 2056 1152 wnnqrg.exe 16 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1152 wnnqrg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2056 wnnqrg.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1152 wrote to memory of 2056 1152 wnnqrg.exe 16 PID 1152 wrote to memory of 2056 1152 wnnqrg.exe 16 PID 1152 wrote to memory of 2056 1152 wnnqrg.exe 16 PID 1152 wrote to memory of 2056 1152 wnnqrg.exe 16 PID 1152 wrote to memory of 2056 1152 wnnqrg.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"C:\Users\Admin\AppData\Local\Temp\wnnqrg.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2056
-