c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

Analysis

max time kernel
295s
max time network
179s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2022, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
Size

2.6MB
MD5

5cc869a817b715c159ead8fbf935f605
SHA1

bfd3ab07cf3d6fbd65919526c8324d5e16955621
SHA256

c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9
SHA512

516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b
SSDEEP

49152:iQ8Jt0z6z2bgJvzNY4Wax5syo1gKflMNCs7hxLeKP0Vnuctqb6y2WDtEElK:iPJt0O2bgv361x6tLcUuy2g3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4252	mqbkup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
4252	mqbkup.exe
4252	mqbkup.exe
4252	mqbkup.exe
4252	mqbkup.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1996	schtasks.exe
3556	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
4252	mqbkup.exe
4252	mqbkup.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 1996	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	67
PID 520 wrote to memory of 1996	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	67
PID 520 wrote to memory of 1996	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	67
PID 520 wrote to memory of 4916	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	69
PID 520 wrote to memory of 4916	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	69
PID 520 wrote to memory of 4916	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	69
PID 520 wrote to memory of 3556	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	71
PID 520 wrote to memory of 3556	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	71
PID 520 wrote to memory of 3556	520	c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe	71
PID 4252 wrote to memory of 4552	4252	mqbkup.exe	75
PID 4252 wrote to memory of 4552	4252	mqbkup.exe	75
PID 4252 wrote to memory of 4552	4252	mqbkup.exe	75

C:\Users\Admin\AppData\Local\Temp\c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe
"C:\Users\Admin\AppData\Local\Temp\c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1996
- C:\Windows\SysWOW64\schtasks.exe
  /C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"
  2⤵
  PID:4916
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"
  2⤵
  - Creates scheduled task(s)
  PID:3556

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\schtasks.exe
  /C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647

Filesize
1KB

MD5
07143eb5a43cd33ddf1d92f5ec90874b

SHA1
bca2cadd54ff11dcf8a07177e42a4909c81e94fc

SHA256
05291ee4ee982ca893b0fba0cdbeafee5b08dcf1642099814783f714ad7a28de

SHA512
b8b7394ff9047d8e17f2dd68a529436bf0047f5bb009e47a658f0ed3375fe3ec455a889d407ad48ba22007894f106a97758090aa0fdaf25e3153be1cbe50e35f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.6MB

MD5
5cc869a817b715c159ead8fbf935f605

SHA1
bfd3ab07cf3d6fbd65919526c8324d5e16955621

SHA256
c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

SHA512
516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe

Filesize
2.6MB

MD5
5cc869a817b715c159ead8fbf935f605

SHA1
bfd3ab07cf3d6fbd65919526c8324d5e16955621

SHA256
c5a789a1439ceefd9990f60b91999b1187267eb1709a224ae687bed8463a3aa9

SHA512
516044436ddc83a4ef24eaffaabdd309b3687effe3a223043a4774266814bb82ef72bf183711eb979ce6845700c7bfaaddd22405fbb1ed1c22070e0c46c3d39b

Download Submit
memory/520-156-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-168-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-122-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-124-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-125-0x00000000002E0000-0x0000000000F53000-memory.dmp

Filesize
12.4MB

Download
memory/520-126-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-127-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-128-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-129-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-130-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-131-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-132-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-157-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-134-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-135-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-136-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-137-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-138-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-139-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-140-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-141-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-142-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-143-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-144-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-145-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-146-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-147-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-148-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-149-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-150-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-151-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-152-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-153-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-154-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-155-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-121-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-133-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-123-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-173-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-159-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-161-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-163-0x000000007E070000-0x000000007E441000-memory.dmp

Filesize
3.8MB

Download
memory/520-162-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-164-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-165-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-166-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-167-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-158-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-169-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-170-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-171-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-172-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-160-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-174-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/520-231-0x00000000002E0000-0x0000000000F53000-memory.dmp

Filesize
12.4MB

Download
memory/520-232-0x000000007E070000-0x000000007E441000-memory.dmp

Filesize
3.8MB

Download
memory/520-120-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-176-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-185-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-178-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-186-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-180-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-181-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-182-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-177-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-183-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-179-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/1996-184-0x0000000077D60000-0x0000000077EEE000-memory.dmp

Filesize
1.6MB

Download
memory/4252-269-0x0000000001160000-0x0000000001DD3000-memory.dmp

Filesize
12.4MB

Download
memory/4252-281-0x000000007F1F0000-0x000000007F5C1000-memory.dmp

Filesize
3.8MB

Download
memory/4252-308-0x0000000001160000-0x0000000001DD3000-memory.dmp

Filesize
12.4MB

Download
memory/4252-309-0x000000007F1F0000-0x000000007F5C1000-memory.dmp

Filesize
3.8MB

Download