977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff

General

Target

977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
Size

9.6MB
MD5

146d968d785af6985c30bd2477a6940f
SHA1

9a7090a5c0224b0bf097bd1b0891bd8439ad502a
SHA256

977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff
SHA512

5b1a6a7a37cf04019b9ab1523223f0cb52b1fc337dac115518847e974167fa2dc9cafa9295822e52966bb3c859ef502cb40aaf390bcbac0d9d6d6cacbce5b502
SSDEEP

196608:wzMJddRw6IfM4B8f5UmwhDaUyRsCnCfv2A24C1iN7RFNurZ/A1lM:wzmRw6I24OyACnT24qiN778tovM

Score

7^/10

vmprotect

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	xmqnpc2.01.exe

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023409-10.dat	vmprotect
behavioral2/memory/5012-22-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-28-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-33-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-35-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-36-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-37-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-38-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect
behavioral2/memory/5012-39-0x0000000000400000-0x0000000001617000-memory.dmp	vmprotect

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5012	xmqnpc2.01.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\xmqnpc\mydk_run_loader_x64.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File opened for modification	C:\Program Files (x86)\xmqnpc\mydk_run_loader_x64.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File created	C:\Program Files (x86)\xmqnpc\xmqnpc2.01.exe	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File opened for modification	C:\Program Files (x86)\xmqnpc\xmqnpc2.01.exe	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File created	C:\Program Files (x86)\xmqnpc\__tmp_rar_sfx_access_check_240600343	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File opened for modification	C:\Program Files (x86)\xmqnpc\mydk_run_loader.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File opened for modification	C:\Program Files (x86)\xmqnpc\mydk_run_engine.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File created	C:\Program Files (x86)\xmqnpc\mydk_run_loader.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File opened for modification	C:\Program Files (x86)\xmqnpc	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
File created	C:\Program Files (x86)\xmqnpc\mydk_run_engine.dll	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	xmqnpc2.01.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe
5012	xmqnpc2.01.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 5012	4136	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe	85
PID 4136 wrote to memory of 5012	4136	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe	85
PID 4136 wrote to memory of 5012	4136	977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe	85

C:\Users\Admin\AppData\Local\Temp\977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe
"C:\Users\Admin\AppData\Local\Temp\977672b6b78578b5e79d76bc722d2abc6c616e5d979da296587df6c72a04e9ff.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Program Files (x86)\xmqnpc\xmqnpc2.01.exe
  "C:\Program Files (x86)\xmqnpc\xmqnpc2.01.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xmqnpc\xmqnpc2.01.exe

Filesize
9.3MB

MD5
9094456cb8fbf335b4a24a12f7c09b76

SHA1
6cc1777976cb1fe2d7870f173a9b8f153d71b241

SHA256
cb22065d057138cf52d53b50410319c49468bac084125c33d10adbc12b8c07c6

SHA512
40c8a37ff94481e601c1ded8f2eb0f9954ac42d8a50a0e0ef305ad00a88fb53021b506975db438c130bc02af422633ded2d527ff73855b935bdef932ceb62edc

Download Submit
memory/5012-17-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/5012-16-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/5012-15-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/5012-23-0x0000000000911000-0x0000000000CC3000-memory.dmp

Filesize
3.7MB

Download
memory/5012-22-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-21-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/5012-20-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/5012-19-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/5012-18-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download
memory/5012-26-0x0000000003CE0000-0x0000000004316000-memory.dmp

Filesize
6.2MB

Download
memory/5012-28-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-29-0x0000000003CE0000-0x0000000004316000-memory.dmp

Filesize
6.2MB

Download
memory/5012-33-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-34-0x0000000000911000-0x0000000000CC3000-memory.dmp

Filesize
3.7MB

Download
memory/5012-35-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-36-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-37-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-38-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download
memory/5012-39-0x0000000000400000-0x0000000001617000-memory.dmp

Filesize
18.1MB

Download

Analysis

Sharing