Analysis
-
max time kernel
298s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
22/09/2022, 10:15
General
-
Target
4fe48642abf895b22488aed15072c094a94afae6c609fedd0f8b148045dea4b9.exe
-
Size
6.0MB
-
MD5
4a762932667c59311568ed01dcfd2b99
-
SHA1
3ded7cfb34ae2c1328bea262863ba781bbe9b82f
-
SHA256
4fe48642abf895b22488aed15072c094a94afae6c609fedd0f8b148045dea4b9
-
SHA512
110fc5575e9051f4f3eeba49e436d32973853ce6712099448e021d7ce841ea9c5ec353a4eafe09fba70049f12e7f00a9588bef6bc0d1e300ecc2ab0af9570827
-
SSDEEP
98304:QnKA6DOm9lIzoO4Lt+CKJaaG4gjuCawzeJJ9rTPsuajVuc0HhGl:Qnh6KwI54R+vAuCaTJdjszjYcehI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fe48642abf895b22488aed15072c094a94afae6c609fedd0f8b148045dea4b9.exe"C:\Users\Admin\AppData\Local\Temp\4fe48642abf895b22488aed15072c094a94afae6c609fedd0f8b148045dea4b9.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 5 /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exe/C /Query /XML /TN "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1922⤵
- Program crash
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /tn "Message Queuing Backup{J4G6S2B4M7X2-F6S2J7D9N5-H5D2A3X4V5}" /XML "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\67765327532705345647"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F7A8A607-C41C-4958-B090-784308B0A145} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\mqb\mqbkup.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5493bc9456da26c6007657fc1a40f97d2
SHA12a7864614dcdb4674d5b4c6c5aea17b68ba24864
SHA2569eb1e61d09a247b40a2517ebefef3b7eac4af2b9e6ce97ea10a92f5fddde58fc
SHA5124d79da21ecb449112ae09a32e87d6da7d2975b22222452b05a533acae7c05248ccf52c284534455cc8b627d3963c609166c694bdbf5f29696b3c9fe48f10e501
-
Filesize
304KB
MD515ff7a358420fa9e8314cdea8d0c0123
SHA1eb983ac06d2861be02ce00adcc02e7592ddb420a
SHA25601c71ab57b92de93c8887c5ffde65b6040ac9c984992b29df805281367426e1d
SHA512302a996b2a79811d9aea50c459e4b9244f26bd5ae23272e20c921464544427b07d8e4f6bbd7686c5a53b043091e14ffb2b3644c3491ce6272ceca20bb5d3dbb6
-
Filesize
9.4MB
-
Filesize
9.4MB
-
Filesize
8KB
-
Filesize
9.4MB
-
Filesize
9.4MB