73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

General

Target

73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
Size

2.7MB
MD5

03db63829881328d9dc41bea635ebcf1
SHA1

4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1
SHA256

73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1
SHA512

22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18
SSDEEP

49152:ZVd8tDA+e7Cpm4n1a2UuXYM2T/AtAMLDRpRPCkrXZ303cPWVMfTdOyu4:N8t3/1RXYpYDdzrJ03cOWfT8P4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1848	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
1848	mqbkup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1980	1048	WerFault.exe	26

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1004	schtasks.exe
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
1848	mqbkup.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1424	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	28
PID 1048 wrote to memory of 1424	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	28
PID 1048 wrote to memory of 1424	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	28
PID 1048 wrote to memory of 1424	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	28
PID 1048 wrote to memory of 1284	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	30
PID 1048 wrote to memory of 1284	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	30
PID 1048 wrote to memory of 1284	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	30
PID 1048 wrote to memory of 1284	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	30
PID 1048 wrote to memory of 1980	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	33
PID 1048 wrote to memory of 1980	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	33
PID 1048 wrote to memory of 1980	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	33
PID 1048 wrote to memory of 1980	1048	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	33
PID 1480 wrote to memory of 1848	1480	taskeng.exe	35
PID 1480 wrote to memory of 1848	1480	taskeng.exe	35
PID 1480 wrote to memory of 1848	1480	taskeng.exe	35
PID 1480 wrote to memory of 1848	1480	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
"C:\Users\Admin\AppData\Local\Temp\73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1424
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:1284
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 400
  2⤵
  - Program crash
  PID:1980

C:\Windows\system32\taskeng.exe
taskeng.exe {2691A503-D563-49C4-909D-F3BD3DB38E0D} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
03db63829881328d9dc41bea635ebcf1

SHA1
4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1

SHA256
73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

SHA512
22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
03db63829881328d9dc41bea635ebcf1

SHA1
4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1

SHA256
73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

SHA512
22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18

Download Submit
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-58-0x0000000001210000-0x0000000001EB1000-memory.dmp

Filesize
12.6MB

Download
memory/1048-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1284-56-0x0000000000000000-mapping.dmp

Download
memory/1424-55-0x0000000000000000-mapping.dmp

Download
memory/1848-61-0x0000000000000000-mapping.dmp

Download
memory/1848-64-0x00000000000E0000-0x0000000000D81000-memory.dmp

Filesize
12.6MB

Download
memory/1848-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1980-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads