Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
06-12-2021 07:31
Static task
static1
Behavioral task
behavioral1
Sample
f_00011d.exe
Resource
win7-en-20211104
General
-
Target
f_00011d.exe
-
Size
868KB
-
MD5
921211c93c0526423bf3449cb33690ea
-
SHA1
45eb2f70b41f7e782ff27fe6e419bad0e2f00119
-
SHA256
d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
-
SHA512
574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dqvbeq.exedqvbeq.exepid process 3312 dqvbeq.exe 2256 dqvbeq.exe -
Drops file in System32 directory 2 IoCs
Processes:
f_00011d.exedescription ioc process File created C:\Windows\SysWOW64\dqvbeq.exe f_00011d.exe File opened for modification C:\Windows\SysWOW64\dqvbeq.exe f_00011d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f_00011d.exepid process 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe 2704 f_00011d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f_00011d.exedescription pid process Token: SeIncBasePriorityPrivilege 2704 f_00011d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dqvbeq.exef_00011d.exedescription pid process target process PID 3312 wrote to memory of 2256 3312 dqvbeq.exe dqvbeq.exe PID 3312 wrote to memory of 2256 3312 dqvbeq.exe dqvbeq.exe PID 3312 wrote to memory of 2256 3312 dqvbeq.exe dqvbeq.exe PID 2704 wrote to memory of 3228 2704 f_00011d.exe cmd.exe PID 2704 wrote to memory of 3228 2704 f_00011d.exe cmd.exe PID 2704 wrote to memory of 3228 2704 f_00011d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"C:\Users\Admin\AppData\Local\Temp\f_00011d.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\f_00011d.exe > nul2⤵
-
C:\Windows\SysWOW64\dqvbeq.exeC:\Windows\SysWOW64\dqvbeq.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dqvbeq.exeC:\Windows\SysWOW64\dqvbeq.exe Cool2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\dqvbeq.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
C:\Windows\SysWOW64\dqvbeq.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
C:\Windows\SysWOW64\dqvbeq.exeMD5
921211c93c0526423bf3449cb33690ea
SHA145eb2f70b41f7e782ff27fe6e419bad0e2f00119
SHA256d5118735db884a3f2d773207dce44bcaddcba024d8a9877e425f06c3db9dcda8
SHA512574c1a546aa2af07e08dfd0854f5feee9bb13a19f95b5bd154eaa91efbfa950e221880d439c72ddbefb88a474daef296ba3a07d1abab8f9a069e4be066b0779f
-
memory/2256-121-0x0000000000000000-mapping.dmp
-
memory/2704-115-0x0000000010001000-0x000000001001E000-memory.dmpFilesize
116KB
-
memory/2704-116-0x000000001001E000-0x0000000010022000-memory.dmpFilesize
16KB
-
memory/3228-125-0x0000000000000000-mapping.dmp
-
memory/3312-120-0x000000001001E000-0x0000000010022000-memory.dmpFilesize
16KB