Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20/08/2024, 15:52
Behavioral task
behavioral1
Sample
51bd9100778403dc0f688e75ba809470N.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
51bd9100778403dc0f688e75ba809470N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
51bd9100778403dc0f688e75ba809470N.exe
-
Size
3.8MB
-
MD5
51bd9100778403dc0f688e75ba809470
-
SHA1
d2d9e000255570eace6e2e14c5edf444ee6a8859
-
SHA256
53e8b8cf9f1bf5e7cd2a4acae139375861fe892bab1672cfaa538829e755ec93
-
SHA512
f24ca80454a5084a62ad8d280da0a36789c3a9ba244dbf299724b14dc4257e1fb53839809dec914520fea08a7f90002835bc6e1255b73410cda0f9c8653b692c
-
SSDEEP
24576:S145qTz/lh3Qh3OXuaq4gTDZrIiEu8Ck5yX7SYzNTU1UEhtviD5:S1KqD6dZ4gTDZ/8JCSYNTSUEral
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2836 WQL.EXE -
Loads dropped DLL 2 IoCs
pid Process 2632 51bd9100778403dc0f688e75ba809470N.exe 2632 51bd9100778403dc0f688e75ba809470N.exe -
resource yara_rule behavioral1/memory/2632-0-0x0000000000400000-0x0000000000824000-memory.dmp upx behavioral1/files/0x0007000000016d39-10.dat upx behavioral1/files/0x0008000000012115-20.dat upx behavioral1/memory/2632-34-0x0000000000400000-0x0000000000824000-memory.dmp upx behavioral1/memory/2836-33-0x0000000000400000-0x0000000000824000-memory.dmp upx behavioral1/memory/2836-29-0x0000000000400000-0x0000000000824000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IYEEY.EXE = "C:\\Program Files (x86)\\IYEEY.EXE" 51bd9100778403dc0f688e75ba809470N.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\N: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\K: WQL.EXE File opened (read-only) \??\M: WQL.EXE File opened (read-only) \??\N: WQL.EXE File opened (read-only) \??\S: WQL.EXE File opened (read-only) \??\U: WQL.EXE File opened (read-only) \??\G: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\J: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\Q: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\G: WQL.EXE File opened (read-only) \??\H: WQL.EXE File opened (read-only) \??\J: WQL.EXE File opened (read-only) \??\O: WQL.EXE File opened (read-only) \??\L: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\P: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\R: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\S: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\E: WQL.EXE File opened (read-only) \??\P: WQL.EXE File opened (read-only) \??\V: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\Q: WQL.EXE File opened (read-only) \??\H: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\T: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\L: WQL.EXE File opened (read-only) \??\V: WQL.EXE File opened (read-only) \??\I: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\K: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\M: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\R: WQL.EXE File opened (read-only) \??\O: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\U: 51bd9100778403dc0f688e75ba809470N.exe File opened (read-only) \??\I: WQL.EXE File opened (read-only) \??\T: WQL.EXE -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\TITV.EXE WQL.EXE File created C:\Program Files (x86)\DCOQH.EXE 51bd9100778403dc0f688e75ba809470N.exe File created C:\Program Files (x86)\XTVLV.EXE 51bd9100778403dc0f688e75ba809470N.exe File created C:\Program Files (x86)\PJZUX.EXE 51bd9100778403dc0f688e75ba809470N.exe File opened for modification C:\Program Files (x86)\PJZUX.EXE 51bd9100778403dc0f688e75ba809470N.exe File created C:\Program Files (x86)\IYEEY.EXE 51bd9100778403dc0f688e75ba809470N.exe File opened for modification C:\Program Files (x86)\IYEEY.EXE 51bd9100778403dc0f688e75ba809470N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WQL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 51bd9100778403dc0f688e75ba809470N.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command WQL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\PJZUX.EXE \"%1\"" 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open 51bd9100778403dc0f688e75ba809470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\XTVLV.EXE \"%1\"" 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile WQL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\$Recycle.Bin\\QHS.EXE %1" 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell WQL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\$Recycle.Bin\\QHS.EXE %1" 51bd9100778403dc0f688e75ba809470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files (x86)\\PJZUX.EXE %1" 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open 51bd9100778403dc0f688e75ba809470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\IYEEY.EXE \"%1\" %*" 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file WQL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file 51bd9100778403dc0f688e75ba809470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open WQL.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2836 2632 51bd9100778403dc0f688e75ba809470N.exe 30 PID 2632 wrote to memory of 2836 2632 51bd9100778403dc0f688e75ba809470N.exe 30 PID 2632 wrote to memory of 2836 2632 51bd9100778403dc0f688e75ba809470N.exe 30 PID 2632 wrote to memory of 2836 2632 51bd9100778403dc0f688e75ba809470N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\51bd9100778403dc0f688e75ba809470N.exe"C:\Users\Admin\AppData\Local\Temp\51bd9100778403dc0f688e75ba809470N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\$Recycle.Bin\WQL.EXEC:\$Recycle.Bin\WQL.EXE2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5d2a9563bd2fb20d9739436b056837bca
SHA15f03a62b36efc3524a44c32e47dc7878c8f95713
SHA256ac1cb3f40dd1a8c398f644e8adae0798eeab0fd91e3564867c8708222c605261
SHA51285e72a5e1ca324cadea60f1ecab06ccdbc5ea2fe53a46c07177cce001844a0c78e57c1f72d60049be032f301094e1d58422a1c1e1318f23aab7a3333bdc5bc59
-
Filesize
3.8MB
MD5d8bd4136f7710b6b53cf896273fa0f03
SHA14d4467bc86518d94d53876326b859cb8fa657775
SHA25694943365784f52d9fd613c48ecd252adf208bc08e86c4c1d522db69a21fc8183
SHA512243e6e0997b5dbf1268c34e19ceea0a6283fb80c3efdf122382fe10d24ec1571845ec130019f38230670242ae2e9d409712136dc1c012d79ba4a5f38d0724da7