73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

Analysis

max time kernel
297s
max time network
177s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
16/09/2022, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
Size

2.7MB
MD5

03db63829881328d9dc41bea635ebcf1
SHA1

4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1
SHA256

73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1
SHA512

22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18
SSDEEP

49152:ZVd8tDA+e7Cpm4n1a2UuXYM2T/AtAMLDRpRPCkrXZ303cPWVMfTdOyu4:N8t3/1RXYpYDdzrJ03cOWfT8P4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4952	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
4952	mqbkup.exe
4952	mqbkup.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2864	schtasks.exe
4496	schtasks.exe
4412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
4952	mqbkup.exe
4952	mqbkup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2864	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	67
PID 2652 wrote to memory of 2864	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	67
PID 2652 wrote to memory of 2864	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	67
PID 2652 wrote to memory of 4560	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	69
PID 2652 wrote to memory of 4560	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	69
PID 2652 wrote to memory of 4560	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	69
PID 2652 wrote to memory of 4496	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	71
PID 2652 wrote to memory of 4496	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	71
PID 2652 wrote to memory of 4496	2652	73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe	71
PID 4952 wrote to memory of 4412	4952	mqbkup.exe	75
PID 4952 wrote to memory of 4412	4952	mqbkup.exe	75
PID 4952 wrote to memory of 4412	4952	mqbkup.exe	75

C:\Users\Admin\AppData\Local\Temp\73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe
"C:\Users\Admin\AppData\Local\Temp\73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:4560
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:4496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647

Filesize
1KB

MD5
2f1e90ec805bc2353d78e1f2d2441202

SHA1
2ddd421f9ef3001558b2a2fccbecdb0d01d82233

SHA256
f8fff0fc8378edef7c7cd664c360678c0d64c804fa2c4c6372c7f3126eb210d2

SHA512
293d58142f7b12cdccbb916a2454262e76146c72f11c7b2b5bed7135efa073f47d241eeb321a932801ca0b3a6b96f994c9d3d9b25eb2706b43cb72cc0d510188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
03db63829881328d9dc41bea635ebcf1

SHA1
4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1

SHA256
73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

SHA512
22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
03db63829881328d9dc41bea635ebcf1

SHA1
4ebbb4db5fdc2fe9abb67dc98a6d23cc8f2ddcd1

SHA256
73d6afecb6e66b60f99384379c9345514a2ef42196ce811e37eb6a389548c7f1

SHA512
22554bc3527ad1d6350743f166b10836f18a731271ce4481498f127556b6242e06ebc0c244af47e54d07bdc539fda3776dc6ab6ad959416c1babf007b73c0a18

Download Submit
memory/2652-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-129-0x0000000000A80000-0x0000000001721000-memory.dmp

Filesize
12.6MB

Download
memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-155-0x000000007F2C0000-0x000000007F691000-memory.dmp

Filesize
3.8MB

Download
memory/2652-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-231-0x0000000000A80000-0x0000000001721000-memory.dmp

Filesize
12.6MB

Download
memory/2652-232-0x000000007F2C0000-0x000000007F691000-memory.dmp

Filesize
3.8MB

Download
memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2864-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/4952-270-0x0000000000DA0000-0x0000000001A41000-memory.dmp

Filesize
12.6MB

Download
memory/4952-271-0x000000007DF90000-0x000000007E361000-memory.dmp

Filesize
3.8MB

Download