5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d

Analysis

max time kernel
54s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
Size

1.5MB
MD5

69503cfbc7aab296b126eadaee54cd7a
SHA1

8f8879200f8f8fae2572e03cecc7bf0b509cf587
SHA256

5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d
SHA512

b6fcb36b25aed5783a11b99183516a20061be925dc90ee4a0d4337877d3f1eacd3ee47527b3c74dad7f2e1f1eb626b695e33219bc8df52530388e03adbf18328
SSDEEP

24576:AvRTs7KezFTuYhzpcDeesRWv6WzT6KfkEp3W8AD/Dhd+y4lqJ8QdCYDoDNKn01:AvDksYhtcDewJOisvD/DX+y4onCYDoD5

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
964	svchost.exe

Loads dropped DLL 10 IoCs

pid	Process
1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
1956	cmd.exe
1936	cmd.exe
1936	cmd.exe
1956	cmd.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\my_sfc_os.dll	svchost.exe
File created	C:\Windows\hpig_WS2.dat	svchost.exe
File created	C:\Windows\my_sfc_os.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	964	WerFault.exe	32

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
2016	QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1936	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	27
PID 1020 wrote to memory of 1936	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	27
PID 1020 wrote to memory of 1936	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	27
PID 1020 wrote to memory of 1936	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	27
PID 1020 wrote to memory of 1956	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	29
PID 1020 wrote to memory of 1956	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	29
PID 1020 wrote to memory of 1956	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	29
PID 1020 wrote to memory of 1956	1020	5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe	29
PID 1936 wrote to memory of 964	1936	cmd.exe	32
PID 1936 wrote to memory of 964	1936	cmd.exe	32
PID 1936 wrote to memory of 964	1936	cmd.exe	32
PID 1936 wrote to memory of 964	1936	cmd.exe	32
PID 1956 wrote to memory of 2016	1956	cmd.exe	31
PID 1956 wrote to memory of 2016	1956	cmd.exe	31
PID 1956 wrote to memory of 2016	1956	cmd.exe	31
PID 1956 wrote to memory of 2016	1956	cmd.exe	31
PID 964 wrote to memory of 1568	964	svchost.exe	33
PID 964 wrote to memory of 1568	964	svchost.exe	33
PID 964 wrote to memory of 1568	964	svchost.exe	33
PID 964 wrote to memory of 1568	964	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe
"C:\Users\Admin\AppData\Local\Temp\5b2923e5788bc673bbb86d54525a50dff06058727aa1aa424059bf6692f0741d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\svchost.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\\svchost.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 152
      4⤵
      Loads dropped DLL
      Program crash
      PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Users\Admin\AppData\Local\Temp\\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
    C:\Users\Admin\AppData\Local\Temp\\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
\Users\Admin\AppData\Local\Temp\QQ¿Õ¼äÇ¿ÖÆ²é¿´Æ÷ÒýÓÃGOGOQQ¡£COMÒ³Ãæ.exe

Filesize
656KB

MD5
9f4db558ba57fdcbfac2900a4e9843c5

SHA1
cd7f4f52f1a1ee76284d495835f71f5ac584b502

SHA256
8beb208e79d9ac394cf021f57b89c97aac198f113e03dfbe3e067ff70cff1f78

SHA512
98537373ac5ce43e9a5096b187e17b4911ce24df88248c01b40c8822587ada4311b1ea5c808b22ecdd20ee670911a38204770f0378ff40512e7e97369fff792b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
303KB

MD5
dc1f136e2dadc7ad16dbeefc360c3626

SHA1
8b1ff1ff975e0be45723ed46157509e8efcbfccd

SHA256
e707c55b9bb45b981267018b6cb6e40eb89f6e308d441445f054b561c2b0bb63

SHA512
d4e8c700d5eb290a669f41bdf4c50c1d7aa52e087c55a86a5a1e095f10c19664a94b60c1602b16304c3a0e9ef51580e05bf00a07fb286f09ffcbcb83b6329458

Download Submit
memory/1020-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1020-58-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/1020-56-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1020-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download