3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6

General

Target

3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe
Size

2.7MB
MD5

3e6ab81cb664ef45c63e199d29482770
SHA1

bda51008a7daa74647251d6d5a77fdb856210301
SHA256

3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6
SHA512

fe71b8e01e255c1b18df315f10eb21c869bdd97d2c7f32c45b09ccae6fbfce46fc501f1aa8951a598514de9a32326246d31b8bac9930aab6944986a483ee5031
SSDEEP

49152:DfOs9NOgoQwALr0SJPhFjvGriy0v9IQ2N6/wshHb0e517ytyrCmuC5X1HK:DLv7wq9bGrFc9F2dsZgwytyrLTH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe
1968	mqbkup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1748	1652	WerFault.exe	23

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1376	schtasks.exe
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe
1968	mqbkup.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1376	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	28
PID 1652 wrote to memory of 1376	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	28
PID 1652 wrote to memory of 1376	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	28
PID 1652 wrote to memory of 1376	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	28
PID 1652 wrote to memory of 812	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	30
PID 1652 wrote to memory of 812	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	30
PID 1652 wrote to memory of 812	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	30
PID 1652 wrote to memory of 812	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	30
PID 1652 wrote to memory of 1748	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	32
PID 1652 wrote to memory of 1748	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	32
PID 1652 wrote to memory of 1748	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	32
PID 1652 wrote to memory of 1748	1652	3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe	32
PID 1988 wrote to memory of 1968	1988	taskeng.exe	35
PID 1988 wrote to memory of 1968	1988	taskeng.exe	35
PID 1988 wrote to memory of 1968	1988	taskeng.exe	35
PID 1988 wrote to memory of 1968	1988	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe
"C:\Users\Admin\AppData\Local\Temp\3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1376
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 400
  2⤵
  - Program crash
  PID:1748
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:2024

C:\Windows\system32\taskeng.exe
taskeng.exe {8F3FC86D-F095-493A-88C7-7B2737A961DC} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
3e6ab81cb664ef45c63e199d29482770

SHA1
bda51008a7daa74647251d6d5a77fdb856210301

SHA256
3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6

SHA512
fe71b8e01e255c1b18df315f10eb21c869bdd97d2c7f32c45b09ccae6fbfce46fc501f1aa8951a598514de9a32326246d31b8bac9930aab6944986a483ee5031

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.7MB

MD5
3e6ab81cb664ef45c63e199d29482770

SHA1
bda51008a7daa74647251d6d5a77fdb856210301

SHA256
3051cecc80d74524686f4b38061391860e0b0052a07c4ec4905e54e7f293d7e6

SHA512
fe71b8e01e255c1b18df315f10eb21c869bdd97d2c7f32c45b09ccae6fbfce46fc501f1aa8951a598514de9a32326246d31b8bac9930aab6944986a483ee5031

Download Submit
memory/1652-57-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1652-60-0x0000000000D90000-0x0000000001A22000-memory.dmp

Filesize
12.6MB

Download
memory/1652-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000000D90000-0x0000000001A22000-memory.dmp

Filesize
12.6MB

Download
memory/1968-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1968-66-0x00000000001C0000-0x0000000000E52000-memory.dmp

Filesize
12.6MB

Download
memory/1968-67-0x00000000001C0000-0x0000000000E52000-memory.dmp

Filesize
12.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads