be86689698d624efa95db792a1d99882f391bbaf28a1bd226358041274c44ced

General

Target

be86689698d624efa95db792a1d99882f391bbaf28a1bd226358041274c44ced.exe
Size

277KB
MD5

a61d414c7216ef53d79e659e8003efdb
SHA1

19e1f6fa4c70a1063e9a88e662b448b1bd3f4f34
SHA256

be86689698d624efa95db792a1d99882f391bbaf28a1bd226358041274c44ced
SHA512

aca83546949f998798adf616e21e1ac421a6b0f21dd05615c9dcf935a7d86427ea735236c43d446b8e7a9faf99b4d008cc59d55bbf1710bd9d70dbc5996aa4cc
SSDEEP

6144:zm8IQfnnxHSuHT4FZGHrCUR9bPxKSUE9r/kg8omz6HaV:zm8zfnIJFdURVrMg+Cc

Score

9^/10

bootkit persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000015c2b-64.dat	acprotect
behavioral1/files/0x0006000000015c2b-65.dat	acprotect

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1120	QQPCDownload60116.exe
1548	QQPCDownload.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1376-55-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral1/files/0x0006000000015c2b-64.dat	upx
behavioral1/files/0x0006000000015c2b-65.dat	upx
behavioral1/memory/1548-66-0x0000000010000000-0x00000000101DA000-memory.dmp	upx
behavioral1/memory/1376-67-0x0000000000400000-0x00000000004D9000-memory.dmp	upx
behavioral1/memory/1548-68-0x0000000010000000-0x00000000101DA000-memory.dmp	upx
behavioral1/memory/1376-70-0x0000000000400000-0x00000000004D9000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1120	QQPCDownload60116.exe
1120	QQPCDownload60116.exe
1548	QQPCDownload.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QQPCDownload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = c163c9ccf55064498628492221dc5d03	QQPCDownload.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	QQPCDownload.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	QQPCDownload.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1548	QQPCDownload.exe
1548	QQPCDownload.exe
1548	QQPCDownload.exe
1548	QQPCDownload.exe
1548	QQPCDownload.exe
1548	QQPCDownload.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1548	QQPCDownload.exe
1548	QQPCDownload.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1548	1120	QQPCDownload60116.exe	30
PID 1120 wrote to memory of 1548	1120	QQPCDownload60116.exe	30
PID 1120 wrote to memory of 1548	1120	QQPCDownload60116.exe	30
PID 1120 wrote to memory of 1548	1120	QQPCDownload60116.exe	30

C:\Users\Admin\AppData\Local\Temp\be86689698d624efa95db792a1d99882f391bbaf28a1bd226358041274c44ced.exe
"C:\Users\Admin\AppData\Local\Temp\be86689698d624efa95db792a1d99882f391bbaf28a1bd226358041274c44ced.exe"
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe" ##cmd=1;supplyid=60116
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQDownload.dll

Filesize
636KB

MD5
e2401fa2c7096c83a26153135c389b5c

SHA1
7f453599197034ec36716577d4525e4961444af8

SHA256
a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61

SHA512
a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe

Filesize
449KB

MD5
77f662ee28f3965a4d8f3fc0cf55e5d9

SHA1
c78e1e0846bc5a5be770dd1159266c995b4b6fcb

SHA256
3e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2

SHA512
4fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe

Filesize
889KB

MD5
d7df8b258c882fe7ac2229ab26efa83d

SHA1
dc099e6be8e77900f34728d46f331ff6e14dae75

SHA256
9c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0

SHA512
cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQPCDownload60116.exe

Filesize
889KB

MD5
d7df8b258c882fe7ac2229ab26efa83d

SHA1
dc099e6be8e77900f34728d46f331ff6e14dae75

SHA256
9c7cc6693aad43de46ea3a5900e81ecc32b601cf3e2a2b428b6d1aef6f0d22c0

SHA512
cdedabe7d359ce30e9b268093cb6fa547fbd9cab8c5bfb96398bd92fd4008d7ed4a942053dcf3add8f30217ca53ae064f223de5bb9f616a15afea29bd8601638

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe

Filesize
449KB

MD5
77f662ee28f3965a4d8f3fc0cf55e5d9

SHA1
c78e1e0846bc5a5be770dd1159266c995b4b6fcb

SHA256
3e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2

SHA512
4fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QQPCDownload.exe

Filesize
449KB

MD5
77f662ee28f3965a4d8f3fc0cf55e5d9

SHA1
c78e1e0846bc5a5be770dd1159266c995b4b6fcb

SHA256
3e1a024853a85fab452e078d8014a3ec12c20fe8e836acfcde45ab5d636069c2

SHA512
4fda8167f82c47ba732718aafe5ad544c292e9776ff3a8520d641dc66acaeb5b6d2c9b43de37634080f1e01d52ba95df7896bddccf8abd8ea624cb3171d41c3a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\qqdownload.dll

Filesize
636KB

MD5
e2401fa2c7096c83a26153135c389b5c

SHA1
7f453599197034ec36716577d4525e4961444af8

SHA256
a9a5456d3878664a0f689d25401de1328a56972a697d38b0798a32de05f42c61

SHA512
a42d0f5e127e3c36e03518eac6da4f953bff912f4515591b8a857c6a525ebc7352769edb5bb389d156babf187bc84bd0981db7a9e50d10fb35b9aa8c10372b1d

Download Submit
memory/1376-55-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-67-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1376-69-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/1376-70-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1548-66-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download
memory/1548-68-0x0000000010000000-0x00000000101DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing