b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e

Analysis

max time kernel
4s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 19:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe
Size

368KB
MD5

9a328f933fa69693729fc495697f685a
SHA1

411ff504a923be81135ac27057e2cb0b16c767d4
SHA256

b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e
SHA512

60d92adae439bb62628c5c97648a6e0326e7780841b8cb03666d26d8b732a9d73ee45a4c34bdb0663d9a086de4c8e3cc6795391fac16423abb73181672b5486e
SSDEEP

6144:fTfFDbRnOTrCgqJbReiblsH+0L0LWqDpFBD8DroJgeNN/EhbJ0ycbEmqyR9HK:x5OqguRVblsHrYWSBcI5wr2vq

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	QQmuma.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe
2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system_ylmy.exe	QQmuma.exe
File opened for modification	C:\Windows\SysWOW64\system_ylmy.exe	QQmuma.exe
File created	C:\Windows\SysWOW64\kill.bat	QQmuma.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
952	QQmuma.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 952	2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe	28
PID 2036 wrote to memory of 952	2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe	28
PID 2036 wrote to memory of 952	2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe	28
PID 2036 wrote to memory of 952	2036	b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe	28
PID 952 wrote to memory of 564	952	QQmuma.exe	29
PID 952 wrote to memory of 564	952	QQmuma.exe	29
PID 952 wrote to memory of 564	952	QQmuma.exe	29
PID 952 wrote to memory of 564	952	QQmuma.exe	29

C:\Users\Admin\AppData\Local\Temp\b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe
"C:\Users\Admin\AppData\Local\Temp\b0b669b37c23966b17af9b6fa2f891e9bcfffe1054dbd26d1323c5a9f3cc3c1e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\QQmuma.exe
  "C:\Users\Admin\AppData\Local\Temp\QQmuma.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Windows\system32\kill.bat""
    3⤵
    PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQmuma.exe

Filesize
104KB

MD5
a0895c4ea506c838bf22e617d7cc63bf

SHA1
f920e2441a26cb7290e621136bbac340ae0df407

SHA256
ae2c2d421b8aae2c02636469d25579fba19606aea2886a09d3174d8f63fc6da1

SHA512
15e85c3f0c8e27f98add33413e349d131475350e4f127d9f23573ba1b4fe85658bad1c34449ff5175b8e7cc75365a1ec410a8be96714a5b267a7ac882f78eff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQmuma.exe

Filesize
104KB

MD5
a0895c4ea506c838bf22e617d7cc63bf

SHA1
f920e2441a26cb7290e621136bbac340ae0df407

SHA256
ae2c2d421b8aae2c02636469d25579fba19606aea2886a09d3174d8f63fc6da1

SHA512
15e85c3f0c8e27f98add33413e349d131475350e4f127d9f23573ba1b4fe85658bad1c34449ff5175b8e7cc75365a1ec410a8be96714a5b267a7ac882f78eff5

Download Submit
C:\Windows\SysWOW64\kill.bat

Filesize
70B

MD5
ccc4323690d726c4e63d2a73c8e398f5

SHA1
24986c604ceb8b3686be7d53cbac3d7bc40f2a1b

SHA256
8b1b7518edaa725392eb63ddad15f81e70910a61f413f7e6f710fa32f2d0acc9

SHA512
1abc3ac8cb913d70f1ea1680ed54bbe5929e8376ddea9dc8dc328119664880f300cf10c443ca93c8c477c0dbd9da178c33d91a26be9ef98e18eb5629a8610031

Download Submit
\Users\Admin\AppData\Local\Temp\QQmuma.exe

Filesize
104KB

MD5
a0895c4ea506c838bf22e617d7cc63bf

SHA1
f920e2441a26cb7290e621136bbac340ae0df407

SHA256
ae2c2d421b8aae2c02636469d25579fba19606aea2886a09d3174d8f63fc6da1

SHA512
15e85c3f0c8e27f98add33413e349d131475350e4f127d9f23573ba1b4fe85658bad1c34449ff5175b8e7cc75365a1ec410a8be96714a5b267a7ac882f78eff5

Download Submit
\Users\Admin\AppData\Local\Temp\QQmuma.exe

Filesize
104KB

MD5
a0895c4ea506c838bf22e617d7cc63bf

SHA1
f920e2441a26cb7290e621136bbac340ae0df407

SHA256
ae2c2d421b8aae2c02636469d25579fba19606aea2886a09d3174d8f63fc6da1

SHA512
15e85c3f0c8e27f98add33413e349d131475350e4f127d9f23573ba1b4fe85658bad1c34449ff5175b8e7cc75365a1ec410a8be96714a5b267a7ac882f78eff5

Download Submit
memory/2036-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download