b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a

General

Target

b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
Size

296KB
MD5

986b756276b288342694580ede47c052
SHA1

0ffa35b6cf28d34ac78798697dde42a06eadc55e
SHA256

b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a
SHA512

2736cb0b0c0ae87f8b9fa2a2085189689116e1ab93e320fadcedaec9e7baa39a4d954e2550adaedeccb7a5dfdaac76e955509200359b5d384cd029ce9669c9e3
SSDEEP

6144:l0IZ0/J8lG4tL3tQvKi14lH4ofYuYDqs9J8Bm0GuI/wd6C4jw4aBCsCr+WcFPIk:2IZIJ8lG4tBQSLH4EYt+svWmYVd6CMw5

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

QQmu_ma.exedvt-drks.exe

pid process

992 QQmu_ma.exe
888 dvt-drks.exe

pid	process
992	QQmu_ma.exe
888	dvt-drks.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\rxing.bat	vmprotect

Loads dropped DLL 4 IoCs

Processes:

b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe

pid	process
2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe

Drops file in Windows directory 2 IoCs

Processes:

QQmu_ma.exe

description ioc process

File created C:\Windows\JoachimPeiper.dat QQmu_ma.exe
File created C:\Windows\rxing.bat QQmu_ma.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\JoachimPeiper.dat	QQmu_ma.exe
File created	C:\Windows\rxing.bat	QQmu_ma.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dvt-drks.exe

pid	process
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe
888	dvt-drks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

QQmu_ma.exe

pid process

992 QQmu_ma.exe

pid	process
992	QQmu_ma.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exeQQmu_ma.exeexplorer.exe

description	pid	process	target process
PID 2028 wrote to memory of 992	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	QQmu_ma.exe
PID 2028 wrote to memory of 992	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	QQmu_ma.exe
PID 2028 wrote to memory of 992	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	QQmu_ma.exe
PID 2028 wrote to memory of 992	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	QQmu_ma.exe
PID 2028 wrote to memory of 888	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	dvt-drks.exe
PID 2028 wrote to memory of 888	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	dvt-drks.exe
PID 2028 wrote to memory of 888	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	dvt-drks.exe
PID 2028 wrote to memory of 888	2028	b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe	dvt-drks.exe
PID 992 wrote to memory of 360	992	QQmu_ma.exe	explorer.exe
PID 992 wrote to memory of 360	992	QQmu_ma.exe	explorer.exe
PID 992 wrote to memory of 360	992	QQmu_ma.exe	explorer.exe
PID 992 wrote to memory of 360	992	QQmu_ma.exe	explorer.exe
PID 1060 wrote to memory of 764	1060	explorer.exe	cmd.exe
PID 1060 wrote to memory of 764	1060	explorer.exe	cmd.exe
PID 1060 wrote to memory of 764	1060	explorer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe
"C:\Users\Admin\AppData\Local\Temp\b63453fe6b8e3e7f57394d7c56e2ee1669fefb48d1c2af85d5c8c4c7e0299a9a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\dvt-drks.exe
"C:\Users\Admin\AppData\Local\Temp\dvt-drks.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exe
"C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\nod816.bat
3⤵
PID:360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
cmd /c ""C:\nod816.bat" "
2⤵
PID:764

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQmu_ma.exe
Filesize
284KB

MD5
d17c7345ef4fbf1484fec9c7f51cbf75

SHA1
555bbab9ba2694a904cf4cde59f56dbca436482c

SHA256
01c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213

SHA512
e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvt-drks.exe
Filesize
231KB

MD5
8802d9c10b59e6fe0b8249cc8239eb44

SHA1
032c8d25b084a339b961e3934101deaa96efac7f

SHA256
b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79

SHA512
79ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf

Download Submit
C:\Windows\rxing.bat
Filesize
18.2MB

MD5
de9b364971e516df97025c91f56a52b7

SHA1
f2d0b2dc72cebc45855ba1ef830bdeda81bccf31

SHA256
55cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f

SHA512
9777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d

Download Submit
C:\nod816.bat
Filesize
374B

MD5
c9c561c8d6c771461a8ffa1adfab82a1

SHA1
ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d

SHA256
fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077

SHA512
1591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712

Download Submit
\Users\Admin\AppData\Local\Temp\QQmu_ma.exe
Filesize
284KB

MD5
d17c7345ef4fbf1484fec9c7f51cbf75

SHA1
555bbab9ba2694a904cf4cde59f56dbca436482c

SHA256
01c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213

SHA512
e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb

Download Submit
\Users\Admin\AppData\Local\Temp\QQmu_ma.exe
Filesize
284KB

MD5
d17c7345ef4fbf1484fec9c7f51cbf75

SHA1
555bbab9ba2694a904cf4cde59f56dbca436482c

SHA256
01c3e32d265d8670081b944366c6c8d485e899136e8ea63ae8069127095d8213

SHA512
e65ae041e032f51560d6414ec8d29d63335feab9c2f53caaf4f279bf72251def65d2bd8383c6788372b34ea2e148bbd9e23d00d0106d75c222defa7dde44aefb

Download Submit
\Users\Admin\AppData\Local\Temp\dvt-drks.exe
Filesize
231KB

MD5
8802d9c10b59e6fe0b8249cc8239eb44

SHA1
032c8d25b084a339b961e3934101deaa96efac7f

SHA256
b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79

SHA512
79ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf

Download Submit
\Users\Admin\AppData\Local\Temp\dvt-drks.exe
Filesize
231KB

MD5
8802d9c10b59e6fe0b8249cc8239eb44

SHA1
032c8d25b084a339b961e3934101deaa96efac7f

SHA256
b77f79f583be068150d1753de970599ccd3603d787a2815459aa792fba555d79

SHA512
79ff25a52c4e7a66453f24b33f336b23bc5ca1a0093757fa819e1c23caea863b632622e682543a66a1902e4b7e03b8d983382a05b66347226c8624dc17db85bf

Download Submit
memory/360-65-0x0000000000000000-mapping.dmp

Download
memory/360-67-0x0000000074961000-0x0000000074963000-memory.dmp

Filesize
8KB

Download
memory/764-70-0x0000000000000000-mapping.dmp

Download
memory/888-63-0x0000000000000000-mapping.dmp

Download
memory/992-58-0x0000000000000000-mapping.dmp

Download
memory/1060-68-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x0000000000340000-0x00000000003EC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads