06fe6437d4f617e320d87412411eab1405a2f0e3db836f748e9f2c925925e123

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
Size

315KB
MD5

fcbace1d61896c77315c37d60ac0e8ba
SHA1

c5a943c52d2479b2acf25b74318cc35fb7463ce3
SHA256

3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9
SHA512

d3817c88a7981b6356d43695d98ac45613d2f5708a31e9cfefe574bbce0d5b607d75b8935b7c712d8b00ff8c24a350e2f1920cdf143d427026c750af14354a9a
SSDEEP

6144:TxDXn5Nll+IMvGQNhauH4Ia79FldQ28EP5tWhMDZ7:NVFiGQ7awaJF428EP5EhAV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3556	zqmpr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3012	3556	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqmpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 3556	1928	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	83
PID 1928 wrote to memory of 3556	1928	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	83
PID 1928 wrote to memory of 3556	1928	3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe	83
PID 3556 wrote to memory of 3888	3556	zqmpr.exe	84
PID 3556 wrote to memory of 3888	3556	zqmpr.exe	84
PID 3556 wrote to memory of 3888	3556	zqmpr.exe	84

C:\Users\Admin\AppData\Local\Temp\3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe
"C:\Users\Admin\AppData\Local\Temp\3db51e29aef16473b5febc21b1f3a8024c8da7c2b7f5600fbc5324713f5fd7c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\zqmpr.exe
  C:\Users\Admin\AppData\Local\Temp\zqmpr.exe C:\Users\Admin\AppData\Local\Temp\xjfzjtquol
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\zqmpr.exe
    C:\Users\Admin\AppData\Local\Temp\zqmpr.exe C:\Users\Admin\AppData\Local\Temp\xjfzjtquol
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 532
    3⤵
    - Program crash
    PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gj583cj9xaqbtzj

Filesize
211KB

MD5
711f2b058ad98319923accd36d79ddee

SHA1
3519abfca77a106b3b680bbaa566c5560e477253

SHA256
4e174dec50f4c982f183929b95fcbdd377e08066ec178f9ce80a6924d3cc822c

SHA512
8554704df1f7f57bd027d399951fc62c2d999be22d3dc2ed7b4c4b23ac4148e06f1c85a9b25960da8803392311f0988e830a09475c66a6c2a300ffc311c10a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjfzjtquol

Filesize
4KB

MD5
9e3fc120951e68dc589ef2d90234eafc

SHA1
d62882da2c7fd141490e3e96bd8a620e027c2981

SHA256
8529b99c3b895869d6fa1b8ca62e00f2226e0ef86caa84ab40540cfd57fcd6ee

SHA512
68b802b535ecf2b6cbee597bb16de2cc7b333986e201499046136476168baa2faac6e27bbeae8019f99cde8adf55bd6068791f6018a1a4117de10c990d2a2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\zqmpr.exe

Filesize
168KB

MD5
ce74b4dac6b9802e4706f44a435a039d

SHA1
592ec006650f8d45a6082cf4d13644133208be35

SHA256
d5604be362dd75dd20212e628dfbf6eb894e0ed6dd4e31aa09b50fef60dcdcc3

SHA512
5fc8a5f9719f7f258594b04d10a172899b470c1ee06949d9e9a1b2c8a4fe0d0472c5feec62271c4c0ebe27caa0fc704992ca0729d952a92862cf2746621ec6bb

Download Submit
memory/3556-8-0x00000000005A0000-0x00000000005A2000-memory.dmp

Filesize
8KB

Download