4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f

General

Target

4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe
Size

6.1MB
MD5

204df28397f4ce049b324f5e1f8d0b08
SHA1

2032e4f4f2cdc8cb693358b843e924713a5572a6
SHA256

4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f
SHA512

91321602b576be11a80c5ee1cb90f8deabd7ff05ef284a9ed1354d0e43c1f958ebb6f18f829dafcee00060537e70e55638ae3f6e0d40a58fc71cd1dec8b0edfc
SSDEEP

98304:3GKGPWoJk1bL5u281pOr7YqZlYgLho7cVosGO2StYkyvD:3LaJqst1pOrFNho7cVosGO12Z7

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe
1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe
1756	mqbkup.exe
1756	mqbkup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
624	1008	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1704	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe
1756	mqbkup.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 1704	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	28
PID 1008 wrote to memory of 1704	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	28
PID 1008 wrote to memory of 1704	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	28
PID 1008 wrote to memory of 1704	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	28
PID 1008 wrote to memory of 1556	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	30
PID 1008 wrote to memory of 1556	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	30
PID 1008 wrote to memory of 1556	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	30
PID 1008 wrote to memory of 1556	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	30
PID 1008 wrote to memory of 624	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	33
PID 1008 wrote to memory of 624	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	33
PID 1008 wrote to memory of 624	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	33
PID 1008 wrote to memory of 624	1008	4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe	33
PID 1744 wrote to memory of 1756	1744	taskeng.exe	35
PID 1744 wrote to memory of 1756	1744	taskeng.exe	35
PID 1744 wrote to memory of 1756	1744	taskeng.exe	35
PID 1744 wrote to memory of 1756	1744	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe
"C:\Users\Admin\AppData\Local\Temp\4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1704
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:1556
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:1580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 192
  2⤵
  - Program crash
  PID:624

C:\Windows\system32\taskeng.exe
taskeng.exe {75CE8B2B-536A-4D13-9A3D-9A5F29740BF7} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
6.1MB

MD5
204df28397f4ce049b324f5e1f8d0b08

SHA1
2032e4f4f2cdc8cb693358b843e924713a5572a6

SHA256
4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f

SHA512
91321602b576be11a80c5ee1cb90f8deabd7ff05ef284a9ed1354d0e43c1f958ebb6f18f829dafcee00060537e70e55638ae3f6e0d40a58fc71cd1dec8b0edfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
6.1MB

MD5
204df28397f4ce049b324f5e1f8d0b08

SHA1
2032e4f4f2cdc8cb693358b843e924713a5572a6

SHA256
4e64323d39cdbf0ec3af7c241b32f3780e2f9ac994f7082289024e70f150d08f

SHA512
91321602b576be11a80c5ee1cb90f8deabd7ff05ef284a9ed1354d0e43c1f958ebb6f18f829dafcee00060537e70e55638ae3f6e0d40a58fc71cd1dec8b0edfc

Download Submit
memory/1008-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1008-55-0x0000000000400000-0x0000000000D77000-memory.dmp

Filesize
9.5MB

Download
memory/1008-57-0x0000000000400000-0x0000000000D77000-memory.dmp

Filesize
9.5MB

Download
memory/1756-64-0x0000000000400000-0x0000000000D77000-memory.dmp

Filesize
9.5MB

Download
memory/1756-65-0x0000000000400000-0x0000000000D77000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads