00e66cb2f4f9452a1d16af3d25f1882b38d0dc9c879c3c02c0c5496245489409

General

Target

QB18068701.exe
Size

930KB
MD5

489b0396c429da985f03273a8131bb3d
SHA1

a4b1e6b4ac61372a76cc5711765df73307e1925a
SHA256

416be48f063784dfa696921edc4844d902cd88d354f45184e5d23d70db94895f
SHA512

08c86d3e1468a3f67d9e07d785698099f6fb84fa2ac144467cbf932b1354cfd7a8a3da746538e12357a3caf549a1b73d35c7b59705e8202c109f42140b10ff6f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1216 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

QB18068701.exe

pid process

908 QB18068701.exe
908 QB18068701.exe
908 QB18068701.exe
908 QB18068701.exe
908 QB18068701.exe
908 QB18068701.exe
908 QB18068701.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QB18068701.exe

description pid process

Token: SeDebugPrivilege 908 QB18068701.exe

pid	process
1216	schtasks.exe

pid	process
908	QB18068701.exe
908	QB18068701.exe
908	QB18068701.exe
908	QB18068701.exe
908	QB18068701.exe
908	QB18068701.exe
908	QB18068701.exe

description	pid	process
Token: SeDebugPrivilege	908	QB18068701.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

QB18068701.exe

description	pid	process	target process
PID 908 wrote to memory of 1216	908	QB18068701.exe	schtasks.exe
PID 908 wrote to memory of 1216	908	QB18068701.exe	schtasks.exe
PID 908 wrote to memory of 1216	908	QB18068701.exe	schtasks.exe
PID 908 wrote to memory of 1216	908	QB18068701.exe	schtasks.exe
PID 908 wrote to memory of 276	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 276	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 276	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 276	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1968	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1968	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1968	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1968	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1780	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1780	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1780	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1780	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 684	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 684	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 684	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 684	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1728	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1728	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1728	908	QB18068701.exe	QB18068701.exe
PID 908 wrote to memory of 1728	908	QB18068701.exe	QB18068701.exe

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"C:\Users\Admin\AppData\Local\Temp\QB18068701.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CdIObB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp"
2⤵
- Creates scheduled task(s)
PID:1216

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"{path}"
2⤵
PID:276

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"{path}"
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"{path}"
2⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"{path}"
2⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\QB18068701.exe
"{path}"
2⤵
PID:1728

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3812.tmp
Filesize
1KB

MD5
39c86f5ee37d07d41690663261699117

SHA1
0b6624ef6ea4efe623482eaf21e61aaa68871616

SHA256
5714cc4c17105b32f1c0d246ccd14b3dbd35a54c2dc7db7751301dccb59d8812

SHA512
8121508a084da978cbbf949b047c65d3402a29492d9436e4b99848a1fd893b94029fd9919ff51a05518d8789fc6deaa99abf5ac58873d3c03dc6346f54974ce8

Download Submit
memory/908-54-0x00000000003A0000-0x000000000048E000-memory.dmp

Filesize
952KB

Download
memory/908-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/908-56-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/908-57-0x0000000005660000-0x000000000570E000-memory.dmp

Filesize
696KB

Download
memory/908-58-0x0000000005AE0000-0x0000000005B98000-memory.dmp

Filesize
736KB

Download
memory/1216-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads