0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

General

Target

0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll
Size

204KB
MD5

6e9024dd2970cdf05368e34f1097289f
SHA1

d5d646c5787e6ca1b07656f254daaab130da7747
SHA256

0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c
SHA512

a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c
SSDEEP

3072:6FjQwsuxxLvqVftnQZQhp7yTzlMecI+XZ5oGc1qxJqwMclgfdK+i8dBPmxSOF:6ZQwlxJCVZmAel/cIPGsIqZcShi8dM

Score

8^/10

upx

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
21	1520	rundll32.exe
38	1520	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1484-133-0x0000000075050000-0x0000000075088000-memory.dmp	upx
behavioral2/memory/1484-136-0x0000000075050000-0x0000000075088000-memory.dmp	upx
behavioral2/memory/1484-137-0x0000000075050000-0x0000000075088000-memory.dmp	upx
behavioral2/memory/1520-141-0x0000000074BB0000-0x0000000074BE8000-memory.dmp	upx
behavioral2/memory/1520-144-0x0000000074BB0000-0x0000000074BE8000-memory.dmp	upx
behavioral2/memory/856-148-0x0000000074A90000-0x0000000074AC8000-memory.dmp	upx
behavioral2/memory/856-151-0x0000000074A90000-0x0000000074AC8000-memory.dmp	upx
behavioral2/memory/1484-153-0x0000000075050000-0x0000000075088000-memory.dmp	upx
behavioral2/memory/1520-154-0x0000000074BB0000-0x0000000074BE8000-memory.dmp	upx
behavioral2/memory/856-155-0x0000000074A90000-0x0000000074AC8000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1520	rundll32.exe
856	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\PROGRA~3\loblbmq.odd	rundll32.exe
File created	C:\PROGRA~3\qmblbol.jss	rundll32.exe
File created	C:\PROGRA~3\loblbmq.fee	rundll32.exe
File opened for modification	C:\PROGRA~3\loblbmq.fee	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1484	2156	rundll32.exe	81
PID 2156 wrote to memory of 1484	2156	rundll32.exe	81
PID 2156 wrote to memory of 1484	2156	rundll32.exe	81
PID 1484 wrote to memory of 1520	1484	rundll32.exe	85
PID 1484 wrote to memory of 1520	1484	rundll32.exe	85
PID 1484 wrote to memory of 1520	1484	rundll32.exe	85
PID 1520 wrote to memory of 856	1520	rundll32.exe	86
PID 1520 wrote to memory of 856	1520	rundll32.exe	86
PID 1520 wrote to memory of 856	1520	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c.dll,#1
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\PROGRA~3\qmblbol.jss,CCZ0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\qmblbol.jss,CCZ4
      4⤵
      Loads dropped DLL
      PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\loblbmq.fee

Filesize
90.6MB

MD5
6d0638e0af5f6446c60bbbe48b2a5df8

SHA1
a2697f656f939363412791e13c8156ad0a12e9da

SHA256
2a2f4ee07f41e731d472c191eccbbeddb2a6639784196fdc1f28eaf4729f2f5d

SHA512
23b1f4448686d1def6260b7c951d90203c128cc30c1e8b0eedbf6e1b382be4dace8b9944b7cac4d645b3a60c1f933413b1456fa465308e7f09f83315b4dfabd5

Download Submit
C:\PROGRA~3\qmblbol.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
C:\ProgramData\qmblbol.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmblbol.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmblbol.jss

Filesize
204KB

MD5
6e9024dd2970cdf05368e34f1097289f

SHA1
d5d646c5787e6ca1b07656f254daaab130da7747

SHA256
0c89080532e850e14ced1e4996a03dd127c32328690622667d5eed87e87ef53c

SHA512
a91ab4a1c3cf4ea7ef87d5ef7544427a7a45aa350c2d4ee83db06abd6cf25e6cebfa5e33e18b6426286325469720611af552a61ae8f9ef31395a6f9b3d392f7c

Download Submit
memory/856-155-0x0000000074A90000-0x0000000074AC8000-memory.dmp

Filesize
224KB

Download
memory/856-148-0x0000000074A90000-0x0000000074AC8000-memory.dmp

Filesize
224KB

Download
memory/856-151-0x0000000074A90000-0x0000000074AC8000-memory.dmp

Filesize
224KB

Download
memory/1484-153-0x0000000075050000-0x0000000075088000-memory.dmp

Filesize
224KB

Download
memory/1484-137-0x0000000075050000-0x0000000075088000-memory.dmp

Filesize
224KB

Download
memory/1484-136-0x0000000075050000-0x0000000075088000-memory.dmp

Filesize
224KB

Download
memory/1484-133-0x0000000075050000-0x0000000075088000-memory.dmp

Filesize
224KB

Download
memory/1520-144-0x0000000074BB0000-0x0000000074BE8000-memory.dmp

Filesize
224KB

Download
memory/1520-154-0x0000000074BB0000-0x0000000074BE8000-memory.dmp

Filesize
224KB

Download
memory/1520-141-0x0000000074BB0000-0x0000000074BE8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing