c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

General

Target

c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
Size

2.6MB
MD5

5cc869a817b715c159ead8fbf935f605
SHA1

bfd3ab07cf3d6fbd65919526c8324d5e16955621
SHA256

c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9
SHA512

516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b
SSDEEP

49152:iQ8Jt0z6z2bgJvzNY4Wax5syo1gKflMNCs7hxLeKP0Vnuctqb6y2WDtEElK:iPJt0O2bgv361x6tLcUuy2g3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1120	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
1120	mqbkup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1520	1460	WerFault.exe	17

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1204	schtasks.exe
596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
1120	mqbkup.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 1204	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	29
PID 1460 wrote to memory of 1204	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	29
PID 1460 wrote to memory of 1204	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	29
PID 1460 wrote to memory of 1204	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	29
PID 1460 wrote to memory of 872	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	34
PID 1460 wrote to memory of 872	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	34
PID 1460 wrote to memory of 872	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	34
PID 1460 wrote to memory of 872	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	34
PID 1460 wrote to memory of 1520	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	32
PID 1460 wrote to memory of 1520	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	32
PID 1460 wrote to memory of 1520	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	32
PID 1460 wrote to memory of 1520	1460	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	32
PID 2012 wrote to memory of 1120	2012	taskeng.exe	36
PID 2012 wrote to memory of 1120	2012	taskeng.exe	36
PID 2012 wrote to memory of 1120	2012	taskeng.exe	36
PID 2012 wrote to memory of 1120	2012	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
"C:\Users\Admin\AppData\Local\Temp\c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 400
  2⤵
  - Program crash
  PID:1520
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:596
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {69C35635-69EC-4046-A0A7-1FC7C0E3B97C} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.6MB

MD5
5cc869a817b715c159ead8fbf935f605

SHA1
bfd3ab07cf3d6fbd65919526c8324d5e16955621

SHA256
c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

SHA512
516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.6MB

MD5
5cc869a817b715c159ead8fbf935f605

SHA1
bfd3ab07cf3d6fbd65919526c8324d5e16955621

SHA256
c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

SHA512
516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b

Download Submit
memory/1120-64-0x0000000000C80000-0x00000000018F3000-memory.dmp

Filesize
12.4MB

Download
memory/1120-65-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1460-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1460-58-0x0000000000CF0000-0x0000000001963000-memory.dmp

Filesize
12.4MB

Download
memory/1460-59-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads