d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8

General

Target

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Size

27.6MB
MD5

dba779040cc9cf606ae3271ec9ef03d0
SHA1

00cd24e75cd21e44c14bc4602df189d34c2b14b2
SHA256

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8
SHA512

427986dd32cd9ea42ee7da6eb8227ab939833f76a7d796d97b8ed213be3ed3e38dc75c0f332f50864eb972bf3af065f930acbafab8394098b9cd2d0f8158319f
SSDEEP

786432:wbnq//o4Syaf/A7NpfYoLzxCYjTF5wdbzo5p6VmTs1TW5lhH:z//nk8JjxCKSI5p6kTsJW5H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2744	ChromeSetup.exe
2692	quubmrikb.exe
3336	Mnfgh.exe
4900	Mnfgh.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe
File opened for modification	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
2692	quubmrikb.exe
2692	quubmrikb.exe
2692	quubmrikb.exe
2692	quubmrikb.exe
3336	Mnfgh.exe
3336	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe
4900	Mnfgh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quubmrikb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
13304	cmd.exe
3328	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3328	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2692	quubmrikb.exe
Token: 33	4900	Mnfgh.exe
Token: SeIncBasePriorityPrivilege	4900	Mnfgh.exe
Token: 33	4900	Mnfgh.exe
Token: SeIncBasePriorityPrivilege	4900	Mnfgh.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2692	1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1948 wrote to memory of 2692	1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1948 wrote to memory of 2692	1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1948 wrote to memory of 2692	1948	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 3336 wrote to memory of 4900	3336	Mnfgh.exe	34
PID 3336 wrote to memory of 4900	3336	Mnfgh.exe	34
PID 3336 wrote to memory of 4900	3336	Mnfgh.exe	34
PID 3336 wrote to memory of 4900	3336	Mnfgh.exe	34
PID 2692 wrote to memory of 13304	2692	quubmrikb.exe	33
PID 2692 wrote to memory of 13304	2692	quubmrikb.exe	33
PID 2692 wrote to memory of 13304	2692	quubmrikb.exe	33
PID 2692 wrote to memory of 13304	2692	quubmrikb.exe	33
PID 13304 wrote to memory of 3328	13304	cmd.exe	36
PID 13304 wrote to memory of 3328	13304	cmd.exe	36
PID 13304 wrote to memory of 3328	13304	cmd.exe	36
PID 13304 wrote to memory of 3328	13304	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
"C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe
  "C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\QUUBMR~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:13304
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3328
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2744

C:\Windows\SysWOW64\Mnfgh.exe
C:\Windows\SysWOW64\Mnfgh.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\SysWOW64\Mnfgh.exe
  C:\Windows\SysWOW64\Mnfgh.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4900

Network

No results found

206.119.82.22:1797

Mnfgh.exe

152 B
120 B
3
3
206.119.82.22:1797

Mnfgh.exe

52 B
40 B
1
1

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRGWPP2WW.exe

Filesize
7.3MB

MD5
4f0d9de0d534937dea9dcb479e3f09f7

SHA1
d99b0224a28d360cad57c3ee9b97b2ae1dcc9b74

SHA256
2daae00063e6141cfc30db8b7786566ff10feefa4ea65b4f9980a541a7a5c421

SHA512
11ed7f957eec283fc2846e00c8148c66c61538059bc659978c65d49b9c11500b7057deb8c1ea2f9e39b77a8c9d8df85774dcb41d24ca3e3254c46a2e23f2519b

Download Submit
\Users\Admin\AppData\Local\Temp\quubmrikb.exe

Filesize
27.6MB

MD5
cbd2d222fe6b60ec3ee2f0389a180dc5

SHA1
4648d3752b9f5e9c5c8cd2593794851654c60125

SHA256
1e806975407ff995659c6374f056b237f7b96a9da83977435b3bdf00fdb6e94b

SHA512
bafbec0555566430d0bdb5e6b95a6e7d8b495b9f93788babd294242f91ce30e95b5ec058f29bf6a2ee0a0250658839e7a8cf8f40a5c3b77551eb4fdbccb13d4f

Download Submit
memory/1948-23-0x0000000005A80000-0x0000000007625000-memory.dmp

Filesize
27.6MB

Download
memory/1948-24-0x0000000005A80000-0x0000000007625000-memory.dmp

Filesize
27.6MB

Download
memory/1948-25-0x0000000005A80000-0x0000000007625000-memory.dmp

Filesize
27.6MB

Download
memory/2692-879-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-869-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-899-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-897-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-895-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-893-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-891-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-889-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-887-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-885-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-883-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-881-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-30-0x00000000752B0000-0x00000000752F7000-memory.dmp

Filesize
284KB

Download
memory/2692-877-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-875-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-873-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-871-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-901-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-867-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-865-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-863-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-861-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-859-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-857-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-855-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-853-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-851-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-849-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-847-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-845-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-843-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-841-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download
memory/2692-840-0x0000000003D30000-0x0000000003E41000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.