ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169eb

General

Target

ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
Size

208KB
MD5

3ea8f9b591abafbb82be43fbfde26a20
SHA1

e9b0cdfdeac763b363311f8d9a22530d0d5ffefd
SHA256

ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169eb
SHA512

b1b4dcaf1e8c341d32b4f8119974fce7c89f511ec1a9c4979e4764a232339c8b48cf5ce127f870c085dafe08af8e08050d737c38b9b6d94b77e16a545f2b18c0
SSDEEP

3072:j3sdqHpokmreoYTbYks1shvTK7NYBC9/xvim4NLthEjQT6W:YdvFPYQksyhvTCvLrQEjE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	MBQC.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	cmd.exe
2336	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\MBQC.exe	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
File opened for modification	C:\windows\SysWOW64\MBQC.exe	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
File created	C:\windows\SysWOW64\MBQC.exe.bat	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBQC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
2916	MBQC.exe
2916	MBQC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
2916	MBQC.exe
2916	MBQC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2336	1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe	30
PID 1860 wrote to memory of 2336	1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe	30
PID 1860 wrote to memory of 2336	1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe	30
PID 1860 wrote to memory of 2336	1860	ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe	30
PID 2336 wrote to memory of 2916	2336	cmd.exe	32
PID 2336 wrote to memory of 2916	2336	cmd.exe	32
PID 2336 wrote to memory of 2916	2336	cmd.exe	32
PID 2336 wrote to memory of 2916	2336	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe
"C:\Users\Admin\AppData\Local\Temp\ed36ca344011bb8150ab4806ac1e676ea63f06dccb40089050518f625d7169ebN.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\MBQC.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\windows\SysWOW64\MBQC.exe
    C:\windows\system32\MBQC.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MBQC.exe.bat

Filesize
72B

MD5
01bc440491e10c5536e73648e7c54aa2

SHA1
959430c03285ed0b58e60be442829020ca3e4f28

SHA256
eb8485ca44aa169917d9e2c99a71f84b8271c49d3c8f45acbc01cded9f796352

SHA512
c9ee1a84e3677b5db89dd0e26cb06ada6489cb86abe27ba383a0baca6c1d1dc2c3df9eaf2f78d24a2ff868ba2e83b38a9d48379809769b01d806cb64640bccc5

Download Submit
\Windows\SysWOW64\MBQC.exe

Filesize
208KB

MD5
0792a417f71934a319e1eaa49b546702

SHA1
a93a3e3f64fa5579f2086e21814a2b60e9bcd83e

SHA256
626bdb19d4b0f1c5e5129cb60337093c884fd4f2da066f51f5a9422fd63de24c

SHA512
580205f5dda2f4e480e90e0cb2cf9b311becdf22a8a9b7619f2aa692e6fc6e7e20f665fb4b8167d46a0efffc5064daa4b7dfda0dfc8899f2b0037618e4067174

Download Submit
memory/1860-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1860-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2336-18-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/2336-17-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/2916-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2916-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing