da0e41d416669558afdd0fb93b2e0949ca15a8cf887202ed1fe2bb879fd737fa

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.exe
Size

655KB
MD5

819303c7e63bc7c2eb24597405598489
SHA1

30d886c99b2bc788e6f8c5269972516707889a63
SHA256

1d3ec1f724cfb73b3013cbfc2f9822ce45a3ab2fa7fc6ad36aa432969f7ba350
SHA512

57bae4c2ff48a490dc17922416cbe8cff48363a25cfabd142cfe7367f4e14d7a77ffb8be866d3c49e902cacbc17365aa035ce47e12cdeeffcea4d9f2fc723eef
SSDEEP

12288:Q6f/WUjD7H4vLeDAZJ30gtXb5lnqpr4iGrWnHR5itsiJba:Jf+UjHH4vCD80EXbTnyTGrWnaNA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1900	barquery.exe
2188	barquery.exe
2588	barquery151.exe
3192	barquery.exe

Loads dropped DLL 3 IoCs

pid	Process
2188	barquery.exe
2588	barquery151.exe
3192	barquery.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	barquery151.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	barquery151.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	barquery151.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	barquery151.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\492I9NB2.htm	barquery151.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BarQuery\barquery.dll	barquery.exe
File opened for modification	C:\Program Files (x86)\BarQuery\barquery.dll	barquery.exe
File created	C:\Program Files (x86)\BarQuery\barquery.exe	barquery.exe
File created	C:\Program Files (x86)\BarQuery\uninstall.exe	upgrade.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upgrade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	barquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	barquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	barquery151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	barquery.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002343d-33.dat	nsis_installer_1

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	barquery151.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	barquery151.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	barquery151.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	barquery151.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	barquery151.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	barquery151.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	barquery151.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	barquery151.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe
2588	barquery151.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3192	barquery.exe
3192	barquery.exe
3192	barquery.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1900	4460	upgrade.exe	84
PID 4460 wrote to memory of 1900	4460	upgrade.exe	84
PID 4460 wrote to memory of 1900	4460	upgrade.exe	84
PID 4460 wrote to memory of 2188	4460	upgrade.exe	85
PID 4460 wrote to memory of 2188	4460	upgrade.exe	85
PID 4460 wrote to memory of 2188	4460	upgrade.exe	85
PID 2588 wrote to memory of 3192	2588	barquery151.exe	87
PID 2588 wrote to memory of 3192	2588	barquery151.exe	87
PID 2588 wrote to memory of 3192	2588	barquery151.exe	87

C:\Users\Admin\AppData\Local\Temp\upgrade.exe
"C:\Users\Admin\AppData\Local\Temp\upgrade.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.exe" "C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.dll" -r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.exe
  "C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.exe" "C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.dll" ntmsmhyz ""
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2188

C:\ProgramData\BarQuery\barquery151.exe
"C:\ProgramData\BarQuery\barquery151.exe" "C:\Program Files (x86)\BarQuery\barquery.dll" puahhbgf
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\BarQuery\barquery.exe
  "C:\Program Files (x86)\BarQuery\barquery.exe" "C:\Program Files (x86)\BarQuery\barquery.dll" oahoqlzvpbpq
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.dll

Filesize
588KB

MD5
ba4afdfa3b2cad896327213f409b0d03

SHA1
261c751065b2df4f7d89b339b0de04955f0f8486

SHA256
ed029f38b112ef92b882195087c03820dd7e3c68d6afe3b1bff7a6a767951243

SHA512
9a668ff61bcaff5892eacacb91f26a179cda75d219fc4e5123b72ca9e6f8ab1c81ec9cd6b4269e68cd4d461f141c8426528d2702bad929ef92e3f356ce2f653f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\barquery.exe

Filesize
64KB

MD5
500b81e0cdbe8c0d434f45962a621299

SHA1
9866fa0433a42f5d3e97eab588d913f3490f875c

SHA256
434bb35b4b0c24ab21ff5666201ed60cc0f76c7fad9e58c61ca953f8593d3115

SHA512
a6faa90766c653eede8f4177b8b5fc4f6c4349cbb92fc0ddf7065cb925b26d6afe29f0cadb66d3b5e0443a53bbd4fd0043c0fb49f737e6c2b5ac7cdee0dc4166

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6F65.tmp\uninstall.exe

Filesize
82KB

MD5
66ca9b50a89726e4bc5d2f00ceb0e27f

SHA1
8e0a04d571df697d2af94070111f3c93185ce78d

SHA256
d7d0c63a6588746c822026e52cf1d0d47369c6ded8169a8c3e5548f017df2a6f

SHA512
5274107a75072c76bdb05b05a1e78663acc4918610b56d74ec023e74e46d04a65d418e4a51167a7afe471e2a37ccf5dcd969d8c4e84c6bbf5481d57e77ebce2d

Download Submit
memory/2188-11-0x0000000000580000-0x0000000000601000-memory.dmp

Filesize
516KB

Download
memory/2588-22-0x0000000000510000-0x0000000000591000-memory.dmp

Filesize
516KB

Download
memory/3192-43-0x0000000000A70000-0x0000000000AF1000-memory.dmp

Filesize
516KB

Download