380d1d54c079094d43ed70d138b6f0d1b7b54d533461f94ada5c635ebea92722

General

Target

43386bdf7184780395e2b03a632d7424.exe
Size

212KB
MD5

43386bdf7184780395e2b03a632d7424
SHA1

484df31bb69b45c5feb67a7c317031d76bc7ac87
SHA256

380d1d54c079094d43ed70d138b6f0d1b7b54d533461f94ada5c635ebea92722
SHA512

13a7b2d4fbd66f544eacdcd9e004f6968a617c2efdcb21d3f27a9829aca4105b30c1e6ba6c317f7595d7ae11f51e7e4cc4f89ee9bb7d7f0cb6675a16d8c728b0
SSDEEP

6144:2RVI4+uRX+qd5bWA3MlCtym/qxWFCV3p:weQsYgMexWF

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	qqtwtrtg.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2888	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2632	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2804	1756	43386bdf7184780395e2b03a632d7424.exe	17
PID 1756 wrote to memory of 2804	1756	43386bdf7184780395e2b03a632d7424.exe	17
PID 1756 wrote to memory of 2804	1756	43386bdf7184780395e2b03a632d7424.exe	17
PID 1756 wrote to memory of 2804	1756	43386bdf7184780395e2b03a632d7424.exe	17
PID 2804 wrote to memory of 2888	2804	cmd.exe	16
PID 2804 wrote to memory of 2888	2804	cmd.exe	16
PID 2804 wrote to memory of 2888	2804	cmd.exe	16
PID 2804 wrote to memory of 2888	2804	cmd.exe	16
PID 2804 wrote to memory of 2632	2804	cmd.exe	19
PID 2804 wrote to memory of 2632	2804	cmd.exe	19
PID 2804 wrote to memory of 2632	2804	cmd.exe	19
PID 2804 wrote to memory of 2632	2804	cmd.exe	19
PID 2804 wrote to memory of 2880	2804	cmd.exe	33
PID 2804 wrote to memory of 2880	2804	cmd.exe	33
PID 2804 wrote to memory of 2880	2804	cmd.exe	33
PID 2804 wrote to memory of 2880	2804	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\43386bdf7184780395e2b03a632d7424.exe
"C:\Users\Admin\AppData\Local\Temp\43386bdf7184780395e2b03a632d7424.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /pid 1756 & ping -n 3 127.1 & del /f /q "C:\Users\Admin\AppData\Local\Temp\43386bdf7184780395e2b03a632d7424.exe" & start C:\Users\Admin\AppData\Local\qqtwtrtg.exe -f
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 3 127.1
    3⤵
    - Runs ping.exe
    PID:2632
- - C:\Users\Admin\AppData\Local\qqtwtrtg.exe
    C:\Users\Admin\AppData\Local\qqtwtrtg.exe -f
    3⤵
    - Executes dropped EXE
    PID:2880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /pid 1756
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\qqtwtrtg.exe

Filesize
1KB

MD5
2e11e847bfb983dcd1fdcab3fb97e6ac

SHA1
f47f4912046d8f066993d0947dbf3d84271cbd1a

SHA256
6a0bb80ab1ed73441468a92ae114e522c48b616fcc8a2200de4a312909f0bdaf

SHA512
e9786107d05a94cdc6cefd9eb141da3bb160e9e19f068da32febac63a5cf6fff6ce017c4243d5b76cc23771e3f670702a3c05150d0f272f56317fa2908fb23c2

Download Submit
\Users\Admin\AppData\Local\qqtwtrtg.exe

Filesize
82KB

MD5
c5f6dd8ab668ad25833b2693773ca6ad

SHA1
80b41063db75762f551e8fd8253d3d0aeca8d54e

SHA256
c5f00166b31760e988d9a430e1380439c63a162428d005e24c27ec6a6b59cc8c

SHA512
0884bdd9b45619368383590cb3f61da784350774824a6f41890c4f011285486ec0bb93372235473b7ac1beb74566c0b5c84fa8ac95bcbd90451a4dcae72f0511

Download Submit
\Users\Admin\AppData\Local\qqtwtrtg.exe

Filesize
20KB

MD5
e6c247db4af3ecabc5961cbd74db28e6

SHA1
221f7c0566bd975d5c85add7bbf114e2fb05c8b2

SHA256
3c523ce55563f8b8c7f8fe45d1dc88367e121a7af1f0165443518825cb1b9d53

SHA512
147eed35874c573ee1cc8de3aa0f8bfbcb42c33df7035f17094fc57c1582db31a201ab55da318e60d15ee08c2fe71fe216005e611d036099d7052eec12fc100b

Download Submit
\Users\Admin\AppData\Local\qqtwtrtg.exe

Filesize
45KB

MD5
163e714f173fd98ef0440a64ee54ac2a

SHA1
163944edb1575b3b9166db0957e4a9078e76b2bf

SHA256
7bc348b0b4b46ea065764c1ef833c1ba3b56b88dfb9708f61237c4b04bee68d6

SHA512
9d24172aae155adfab443302bbb9738312b39af8841f45ecda697837fd3dcc8b0672d7fb389341404ba7c7b96274426247676e5a927d6e21304a88ab4f6789f3

Download Submit
memory/1756-5-0x00000000001C0000-0x00000000001E9000-memory.dmp

Filesize
164KB

Download
memory/1756-6-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/1756-4-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/1756-1-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1756-0-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/1756-3-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2804-10-0x0000000002010000-0x00000000020EC000-memory.dmp

Filesize
880KB

Download
memory/2880-17-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/2880-24-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2880-12-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-15-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-16-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-18-0x0000000000230000-0x0000000000259000-memory.dmp

Filesize
164KB

Download
memory/2880-22-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2880-19-0x0000000000CF0000-0x0000000000DCC000-memory.dmp

Filesize
880KB

Download
memory/2880-23-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-13-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2880-26-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-25-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-27-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-29-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-30-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-31-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-32-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download
memory/2880-33-0x0000000001000000-0x00000000010DC000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing