Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25/04/2024, 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe
-
Size
474KB
-
MD5
38d935266944c5f49d35c42ce150086a
-
SHA1
7bfad76c6b3844f2cea23ffc7bd4702fe737fe73
-
SHA256
b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f
-
SHA512
398927af28bcd3ad101481dd72c40aad7707b6963990e75e11d9c2ac8c57c71770e5a97aee4d0c2bcc6d7df6f12822a81746925e6fd1f561fe4581a52ec0f8c8
-
SSDEEP
6144:vdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqq:l8kxNhOZElO5kkWjhD4A
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4700 RQY.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WIEMI.EXE = "C:\\$Recycle.Bin\\KFC.EXE" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: RQY.EXE File opened (read-only) \??\V: RQY.EXE File opened (read-only) \??\K: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\O: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\H: RQY.EXE File opened (read-only) \??\M: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\O: RQY.EXE File opened (read-only) \??\Q: RQY.EXE File opened (read-only) \??\R: RQY.EXE File opened (read-only) \??\U: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\M: RQY.EXE File opened (read-only) \??\P: RQY.EXE File opened (read-only) \??\R: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\V: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\L: RQY.EXE File opened (read-only) \??\N: RQY.EXE File opened (read-only) \??\L: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\N: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\P: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\K: RQY.EXE File opened (read-only) \??\S: RQY.EXE File opened (read-only) \??\U: RQY.EXE File opened (read-only) \??\G: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\H: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\S: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\T: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\T: RQY.EXE File opened (read-only) \??\Q: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\E: RQY.EXE File opened (read-only) \??\G: RQY.EXE File opened (read-only) \??\J: RQY.EXE File opened (read-only) \??\E: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\I: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe File opened (read-only) \??\J: b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\$Recycle.Bin\\KFC.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\System Volume Information\\DTZDH.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open RQY.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\System Volume Information\\DTZDH.EXE %1" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\$Recycle.Bin\\KFC.EXE \"%1\"" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\System Volume Information\\DTZDH.EXE \"%1\"" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell RQY.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\$Recycle.Bin\\KFC.EXE \"%1\" %*" b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command RQY.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell RQY.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5024 wrote to memory of 4700 5024 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 89 PID 5024 wrote to memory of 4700 5024 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 89 PID 5024 wrote to memory of 4700 5024 b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe"C:\Users\Admin\AppData\Local\Temp\b8bc76e3ece3eff2230853d85e89026d4b3bd35a3c90ca68aed08c7a2b8e060f.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\$Recycle.Bin\RQY.EXEC:\$Recycle.Bin\RQY.EXE2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
474KB
MD583525c14e93de359df52ae987db08978
SHA102017f66ea30f648242998e853e979e934823236
SHA25691c25b9d00c15e607d3c4738b6b2b1768d6558cb5acd87d369ddb9f2ca955773
SHA5120bceb3dbbe22836dd922b422853c76d24d1ac912c9b386aadc373bd73ce0202a03c8fef12aa221aa62ea6f2c969a8b94cd1fb22e20042448b05cbf90f96fb102
-
Filesize
474KB
MD52ad6bbace7b45664879bf3bdcc050dd1
SHA1e2b023c15907e85bd1cc511b227aad635b7b51a7
SHA256eec3445faab46d4b1d741089e2f0c6543d52bcf2a51d88488b7888bb0d7437a0
SHA51227cd13bdefd395cd93a76c9392879487029f18359e8affa3514a69cd9ded89776e46afea134a720c18bc36d95e1f2db0ce4fa93685c231ae84cc9e8754ffc226