Analysis
-
max time kernel
151s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 20:39
Static task
static1
Behavioral task
behavioral1
Sample
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
Resource
win10v2004-20220812-en
General
-
Target
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
-
Size
296KB
-
MD5
986b756276b288342694580ede47c052
-
SHA1
0ffa35b6cf28d34ac78798697dde42a06eadc55e
-
SHA256
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a
-
SHA512
2736cb0b0c0ae87f8b9fa2a2085189689116e1ab93e320fadcedaec9e7baa39a4d954e2550adaedeccb7a5dfdaac76e955509200359b5d384cd029ce9669c9e3
-
SSDEEP
6144:l0IZ0/J8lG4tL3tQvKi14lH4ofYuYDqs9J8Bm0GuI/wd6C4jw4aBCsCr+WcFPIk:2IZIJ8lG4tBQSLH4EYt+svWmYVd6CMw5
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
QQmu_ma.exedvt-drks.exepid process 992 QQmu_ma.exe 888 dvt-drks.exe -
Processes:
resource yara_rule C:\Windows\rxing.bat vmprotect -
Loads dropped DLL 4 IoCs
Processes:
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exepid process 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe -
Drops file in Windows directory 2 IoCs
Processes:
QQmu_ma.exedescription ioc process File created C:\Windows\JoachimPeiper.dat QQmu_ma.exe File created C:\Windows\rxing.bat QQmu_ma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dvt-drks.exepid process 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe 888 dvt-drks.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
QQmu_ma.exepid process 992 QQmu_ma.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 468 AUDIODG.EXE Token: 33 468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 468 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exeQQmu_ma.exeexplorer.exedescription pid process target process PID 2028 wrote to memory of 992 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe QQmu_ma.exe PID 2028 wrote to memory of 992 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe QQmu_ma.exe PID 2028 wrote to memory of 992 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe QQmu_ma.exe PID 2028 wrote to memory of 992 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe QQmu_ma.exe PID 2028 wrote to memory of 888 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe dvt-drks.exe PID 2028 wrote to memory of 888 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe dvt-drks.exe PID 2028 wrote to memory of 888 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe dvt-drks.exe PID 2028 wrote to memory of 888 2028 b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe dvt-drks.exe PID 992 wrote to memory of 360 992 QQmu_ma.exe explorer.exe PID 992 wrote to memory of 360 992 QQmu_ma.exe explorer.exe PID 992 wrote to memory of 360 992 QQmu_ma.exe explorer.exe PID 992 wrote to memory of 360 992 QQmu_ma.exe explorer.exe PID 1060 wrote to memory of 764 1060 explorer.exe cmd.exe PID 1060 wrote to memory of 764 1060 explorer.exe cmd.exe PID 1060 wrote to memory of 764 1060 explorer.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe"C:\Users\Admin\AppData\Local\Temp\b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\dvt-drks.exe"C:\Users\Admin\AppData\Local\Temp\dvt-drks.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:888 -
C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exe"C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\nod816.bat3⤵PID:360
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e81⤵
- Suspicious use of AdjustPrivilegeToken
PID:468
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\cmd.execmd /c ""C:\nod816.bat" "2⤵PID:764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exeFilesize
284KB
MD5d17c7345ef4fbf1484fec9c7f51cbf75
SHA1555bbab9ba2694a904cf4cde59f56dbca436482c
SHA25601c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213
SHA512e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb
-
C:\Users\Admin\AppData\Local\Temp\dvt-drks.exeFilesize
231KB
MD58802d9c10b59e6fe0b8249cc8239eb44
SHA1032c8d25b084a339b961e3934101deaa96efac7f
SHA256b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79
SHA51279ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf
-
C:\Windows\rxing.batFilesize
18.2MB
MD5de9b364971e516df97025c91f56a52b7
SHA1f2d0b2dc72cebc45855ba1ef830bdeda81bccf31
SHA25655cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f
SHA5129777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d
-
C:\nod816.batFilesize
374B
MD5c9c561c8d6c771461a8ffa1adfab82a1
SHA1ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d
SHA256fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077
SHA5121591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712
-
\Users\Admin\AppData\Local\Temp\QQmu_ma.exeFilesize
284KB
MD5d17c7345ef4fbf1484fec9c7f51cbf75
SHA1555bbab9ba2694a904cf4cde59f56dbca436482c
SHA25601c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213
SHA512e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb
-
\Users\Admin\AppData\Local\Temp\QQmu_ma.exeFilesize
284KB
MD5d17c7345ef4fbf1484fec9c7f51cbf75
SHA1555bbab9ba2694a904cf4cde59f56dbca436482c
SHA25601c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213
SHA512e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb
-
\Users\Admin\AppData\Local\Temp\dvt-drks.exeFilesize
231KB
MD58802d9c10b59e6fe0b8249cc8239eb44
SHA1032c8d25b084a339b961e3934101deaa96efac7f
SHA256b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79
SHA51279ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf
-
\Users\Admin\AppData\Local\Temp\dvt-drks.exeFilesize
231KB
MD58802d9c10b59e6fe0b8249cc8239eb44
SHA1032c8d25b084a339b961e3934101deaa96efac7f
SHA256b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79
SHA51279ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf
-
memory/360-65-0x0000000000000000-mapping.dmp
-
memory/360-67-0x0000000074961000-0x0000000074963000-memory.dmpFilesize
8KB
-
memory/764-70-0x0000000000000000-mapping.dmp
-
memory/888-63-0x0000000000000000-mapping.dmp
-
memory/992-58-0x0000000000000000-mapping.dmp
-
memory/1060-68-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/2028-55-0x0000000000340000-0x00000000003EC000-memory.dmpFilesize
688KB