5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78

General

Target

5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Size

208KB
MD5

710bf0506b826b66239ea8a924d995a0
SHA1

565cfb4743a8a466079c6364ddfc531c890bd389
SHA256

5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78
SHA512

7ad06ce5c2d247d527c9e6bb1276f52c43488937d046430fb0a30529ff4ca0520b315fc2d815e8dab4c4ea1fa1f8a00fc5eade570405b5dba58186c48d1f23fe
SSDEEP

3072:DsfYAYB4nLqk42HkQPKInH1NZGwMZvxPFWTBlg+FpTBi4NLthEjQT6W:Sw6LqmPRnVDGwMDPFWTM+FpViQEjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2104	QDMMPF.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\QDMMPF.exe	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
File opened for modification	C:\windows\QDMMPF.exe	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
File created	C:\windows\QDMMPF.exe.bat	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QDMMPF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
2104	QDMMPF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
2104	QDMMPF.exe
2104	QDMMPF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2448	2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe	28
PID 2440 wrote to memory of 2448	2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe	28
PID 2440 wrote to memory of 2448	2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe	28
PID 2440 wrote to memory of 2448	2440	5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe	28
PID 2448 wrote to memory of 2104	2448	cmd.exe	30
PID 2448 wrote to memory of 2104	2448	cmd.exe	30
PID 2448 wrote to memory of 2104	2448	cmd.exe	30
PID 2448 wrote to memory of 2104	2448	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe
"C:\Users\Admin\AppData\Local\Temp\5567f5fa2297a0fa9aadf371172c937662e22a8fce564b4b0e7dde67eeebdd78N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\QDMMPF.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\windows\QDMMPF.exe
    C:\windows\QDMMPF.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\QDMMPF.exe

Filesize
208KB

MD5
4732588a0e91467a3ca0192121df18f1

SHA1
44b513354cf8fbd785a23a0d46c618486c821d68

SHA256
fb6f37809a5f1ca8fa15320e2776851f3388f94b1253f01c3052db0d9ece0608

SHA512
ae52be4ba5324946c208fd65b1bbf25028c0a383e0a05be3bc84c9d2b40d1dd07f0fd9f09f852fad51a491883323c792aee0df4a72aeac82620d65e93185b44c

Download Submit
C:\Windows\QDMMPF.exe.bat

Filesize
58B

MD5
9009ec5606af751135d46713e84d723b

SHA1
47c772e1ea202bfbd543ff4021ca7ab5d117fcac

SHA256
f882845d11fb35d875335e169845e7b9a7d52a0a6be9191570f7e8585449bbed

SHA512
da3e7011ceb0816e826a98184f28dfbde34e1946a084da6fcfaa35e5098dd16b87c87385ddcf3ff3d3d5a723129c48804083188495844f8c0fcab5bab19102db

Download Submit
memory/2104-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2104-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2440-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2440-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2448-16-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/2448-15-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing