b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7

General

Target

b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Size

693KB
MD5

02b75e96d9b1ade54981ac2d077c9aef
SHA1

76f9d2aa57ef9837dfa94b92463f545dbe4fc8d4
SHA256

b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7
SHA512

e31f6a1e42a9daefbceb986ba2bef96c3db907e99c83c9b23ea806fc2711a6da4685200db751a323c4ae1112b23c4ce2591eed4da6efffd280eb556e1418a3a5
SSDEEP

12288:l8kxNhOZElO5kkWjhD4AcGsGtAtScw3qEKB:WqEkfFN145

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ICDCZ.EXE = "C:\\$Recycle.Bin\\BQA.EXE"	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\I:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\O:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\T:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\G:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\K:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\Q:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\R:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\S:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\E:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\M:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\V:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\J:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\L:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\N:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\P:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
File opened (read-only)	\??\U:	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\$Recycle.Bin\\IBV.EXE %1"	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\$Recycle.Bin\\BQA.EXE %1"	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\$Recycle.Bin\\BQA.EXE \"%1\" %*"	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\$Recycle.Bin\\BQA.EXE %1"	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\$Recycle.Bin\\BQA.EXE \"%1\""	b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe

C:\Users\Admin\AppData\Local\Temp\b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe
"C:\Users\Admin\AppData\Local\Temp\b6a8f43ecaf81a020478e315954f4d65d9bce0e1d98635b350ac3fa1335b3df7.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\BQA.EXE

Filesize
693KB

MD5
3aaa7835811eb4576dc02d42402923e1

SHA1
1c690878628867c60c9e175fd3c896a1bda424d4

SHA256
17484f2a1294df84bc8866eef0b279c2e1a573f3dda2a9bd987e9c36447dddff

SHA512
e816c86945ff2af09e3b783c7f7b1719daa144eb517e8a6009e3f23d55ea38d6763c0d35665d45137616c8f663ed27877f4f5cb960041f38a2c971e939c8558b

Download Submit
C:\filedebug

Filesize
237B

MD5
446e6c1e852e58426fe7531d05bf0d33

SHA1
4437028a7516a6bffe30835c2d957cced9882555

SHA256
d4f61a052069b2c8bee566f4b50c88dce431353382ae014cb97e76634f5e78ac

SHA512
fdafb1d9c25e89936efea624827324fad928020e41e52925d50d221656e1159d6b4b06368629edfa071378fe02e85caa27c22fc5794da90a4282f56a16e1cb3f

Download Submit
memory/2164-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2164-18-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads