Analysis
-
max time kernel
261s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
11-09-2022 22:43
General
-
Target
90f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc.exe
-
Size
2.7MB
-
MD5
c300e95c5387e917ea8b820a4f12ff26
-
SHA1
06a3e25555589e730f632dd2873381846f9003c8
-
SHA256
90f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc
-
SHA512
e965a680128bc034617448149c43a500f20338e5f549f1e19e3c8f9f2b923b16b19354f6cedee327d1e829c920e19d970fd2c20a4b5143b5672c12449b5e2454
-
SSDEEP
49152:Iu3GPkg54jeclLyM6iDT1dYCHngsQAjE+Ca7rrExbs1ornY3dsZRKYFHE:f3GX4D6g1d7HnLZwqHrQRnYNsnKYFH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc.exe"C:\Users\Admin\AppData\Local\Temp\90f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe/C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 4082⤵
- Program crash
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {536B31A7-E8E4-40F7-A573-EFF512EB536C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5c300e95c5387e917ea8b820a4f12ff26
SHA106a3e25555589e730f632dd2873381846f9003c8
SHA25690f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc
SHA512e965a680128bc034617448149c43a500f20338e5f549f1e19e3c8f9f2b923b16b19354f6cedee327d1e829c920e19d970fd2c20a4b5143b5672c12449b5e2454
-
Filesize
2.7MB
MD5c300e95c5387e917ea8b820a4f12ff26
SHA106a3e25555589e730f632dd2873381846f9003c8
SHA25690f6b0a1f6bf9a503f3107325e0b4abdf8807bb971f7c37cc6a8ed71cfb0e8bc
SHA512e965a680128bc034617448149c43a500f20338e5f549f1e19e3c8f9f2b923b16b19354f6cedee327d1e829c920e19d970fd2c20a4b5143b5672c12449b5e2454
-
Filesize
8KB
-
Filesize
12.5MB
-
Filesize
3.8MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
3.8MB