d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8

General

Target

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Size

27.6MB
MD5

dba779040cc9cf606ae3271ec9ef03d0
SHA1

00cd24e75cd21e44c14bc4602df189d34c2b14b2
SHA256

d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8
SHA512

427986dd32cd9ea42ee7da6eb8227ab939833f76a7d796d97b8ed213be3ed3e38dc75c0f332f50864eb972bf3af065f930acbafab8394098b9cd2d0f8158319f
SSDEEP

786432:wbnq//o4Syaf/A7NpfYoLzxCYjTF5wdbzo5p6VmTs1TW5lhH:z//nk8JjxCKSI5p6kTsJW5H

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2736	ChromeSetup.exe
2968	quubmrikb.exe
12076	Mnfgh.exe
15688	Mnfgh.exe

Loads dropped DLL 4 IoCs

pid	Process
1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe
File opened for modification	C:\Windows\SysWOW64\Mnfgh.exe	quubmrikb.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs

pid	Process
2968	quubmrikb.exe
2968	quubmrikb.exe
2968	quubmrikb.exe
12076	Mnfgh.exe
12076	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe
15688	Mnfgh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quubmrikb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
15676	cmd.exe
15268	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
15268	PING.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	quubmrikb.exe
Token: 33	15688	Mnfgh.exe
Token: SeIncBasePriorityPrivilege	15688	Mnfgh.exe
Token: 33	15688	Mnfgh.exe
Token: SeIncBasePriorityPrivilege	15688	Mnfgh.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2968	1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1684 wrote to memory of 2968	1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1684 wrote to memory of 2968	1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 1684 wrote to memory of 2968	1684	d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe	30
PID 12076 wrote to memory of 15688	12076	Mnfgh.exe	35
PID 12076 wrote to memory of 15688	12076	Mnfgh.exe	35
PID 12076 wrote to memory of 15688	12076	Mnfgh.exe	35
PID 12076 wrote to memory of 15688	12076	Mnfgh.exe	35
PID 2968 wrote to memory of 15676	2968	quubmrikb.exe	34
PID 2968 wrote to memory of 15676	2968	quubmrikb.exe	34
PID 2968 wrote to memory of 15676	2968	quubmrikb.exe	34
PID 2968 wrote to memory of 15676	2968	quubmrikb.exe	34
PID 15676 wrote to memory of 15268	15676	cmd.exe	37
PID 15676 wrote to memory of 15268	15676	cmd.exe	37
PID 15676 wrote to memory of 15268	15676	cmd.exe	37
PID 15676 wrote to memory of 15268	15676	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe
"C:\Users\Admin\AppData\Local\Temp\d645185fa8fbe338f26ad26972aec46c24e826556e229c059b6adb2669200fe8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe
  "C:\Users\Admin\AppData\Local\Temp\quubmrikb.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\QUUBMR~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:15676
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:15268
- C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2736

C:\Windows\SysWOW64\Mnfgh.exe
C:\Windows\SysWOW64\Mnfgh.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:12076
- C:\Windows\SysWOW64\Mnfgh.exe
  C:\Windows\SysWOW64\Mnfgh.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:15688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe

Filesize
8.5MB

MD5
cd32eed7ff292c4be642d7effbcb7a81

SHA1
168b1c3861b0ff480250284b70a6d57b8852a629

SHA256
2e8957863173f7c3ce0e966b7683c04c16c01bdd78e41b6dc2a4b91a1d8f9181

SHA512
597dd3315a05a0dc28a9fd31b24afbe4f6d2094fc95e8c3b5724368d5a15c97ad71c9dee178ae8ef467a32d8bc8aee304bb1b8e560bc964183ff1eaa610f83de

Download Submit
C:\Users\Admin\AppData\Local\Temp\LRGWPP2WW.exe

Filesize
7.3MB

MD5
4f0d9de0d534937dea9dcb479e3f09f7

SHA1
d99b0224a28d360cad57c3ee9b97b2ae1dcc9b74

SHA256
2daae00063e6141cfc30db8b7786566ff10feefa4ea65b4f9980a541a7a5c421

SHA512
11ed7f957eec283fc2846e00c8148c66c61538059bc659978c65d49b9c11500b7057deb8c1ea2f9e39b77a8c9d8df85774dcb41d24ca3e3254c46a2e23f2519b

Download Submit
\Users\Admin\AppData\Local\Temp\quubmrikb.exe

Filesize
27.6MB

MD5
cbd2d222fe6b60ec3ee2f0389a180dc5

SHA1
4648d3752b9f5e9c5c8cd2593794851654c60125

SHA256
1e806975407ff995659c6374f056b237f7b96a9da83977435b3bdf00fdb6e94b

SHA512
bafbec0555566430d0bdb5e6b95a6e7d8b495b9f93788babd294242f91ce30e95b5ec058f29bf6a2ee0a0250658839e7a8cf8f40a5c3b77551eb4fdbccb13d4f

Download Submit
memory/1684-27-0x00000000057C0000-0x0000000007365000-memory.dmp

Filesize
27.6MB

Download
memory/1684-23-0x00000000057C0000-0x0000000007365000-memory.dmp

Filesize
27.6MB

Download
memory/1684-29-0x00000000057C0000-0x0000000007365000-memory.dmp

Filesize
27.6MB

Download
memory/2968-869-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-859-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-891-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-889-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-887-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-885-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-883-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-881-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-879-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-877-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-875-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-871-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-30-0x0000000076F90000-0x0000000076FD7000-memory.dmp

Filesize
284KB

Download
memory/2968-867-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-865-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-863-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-861-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-873-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-857-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-855-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-853-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-851-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-849-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-847-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-845-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-843-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-841-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-840-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-901-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-899-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-897-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-895-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download
memory/2968-893-0x0000000003C20000-0x0000000003D31000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads