dafef583bd979ed6e5d6c87d8d658b89afc4cd1e7c31e7fceb2b30718ecab2ed

Analysis

max time kernel
259s
max time network
352s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQƱͼ_.exe
Size

1.2MB
MD5

694ca266aaa0bcb3d75348e259346de6
SHA1

9a8b50699d67f6fe56efad1da7b990c380782a7b
SHA256

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb
SHA512

77a9f2ae86d3e4876a3c165d960580863f77b1f324519ae8200e4a9985faec138cafdcae4d30c874b64ec5a63c486cb5dcb93bd942a87886c3230b4e174c1952
SSDEEP

24576:8mtOGTYtxBLLMBLvVJ3zzs337HOek5ThTYcxkGML5DVEVuPVMDP:8mvTYtxBynMO9Zh9kfFPeb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CCG0.exeCCG1.exe

pid process

1516 CCG0.exe
528 CCG1.exe

pid	process
1516	CCG0.exe
528	CCG1.exe

Loads dropped DLL 4 IoCs

Processes:

QQƱͼ_.exe

pid	process
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe

Drops file in System32 directory 1 IoCs

Processes:

CCG1.exe

description ioc process

File created C:\Windows\SysWOW64\black.txt CCG1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\black.txt	CCG1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

QQƱͼ_.exe

pid	process
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe
772	QQƱͼ_.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQƱͼ_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	QQƱͼ_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	QQƱͼ_.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

CCG0.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main CCG0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main	CCG0.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

CCG0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	CCG0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	CCG0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CCG1.exe

description pid process

Token: SeDebugPrivilege 528 CCG1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CCG0.exe

pid process

1516 CCG0.exe
1516 CCG0.exe
1516 CCG0.exe
1516 CCG0.exe

description	pid	process
Token: SeDebugPrivilege	528	CCG1.exe

pid	process
1516	CCG0.exe
1516	CCG0.exe
1516	CCG0.exe
1516	CCG0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

QQƱͼ_.exe

description	pid	process	target process
PID 772 wrote to memory of 1516	772	QQƱͼ_.exe	CCG0.exe
PID 772 wrote to memory of 1516	772	QQƱͼ_.exe	CCG0.exe
PID 772 wrote to memory of 1516	772	QQƱͼ_.exe	CCG0.exe
PID 772 wrote to memory of 1516	772	QQƱͼ_.exe	CCG0.exe
PID 772 wrote to memory of 528	772	QQƱͼ_.exe	CCG1.exe
PID 772 wrote to memory of 528	772	QQƱͼ_.exe	CCG1.exe
PID 772 wrote to memory of 528	772	QQƱͼ_.exe	CCG1.exe
PID 772 wrote to memory of 528	772	QQƱͼ_.exe	CCG1.exe

C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe
"C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Users\Admin\AppData\Local\Temp\CCG1.exe
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
memory/528-4621-0x0000000000000000-mapping.dmp

Download
memory/772-510-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-4613-0x0000000000840000-0x00000000008E1000-memory.dmp

Filesize
644KB

Download
memory/772-468-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-469-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-467-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-506-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-465-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-470-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-473-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-471-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-472-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-476-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-474-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-475-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-480-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-479-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-478-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-477-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-524-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-523-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-522-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-521-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-520-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-519-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-518-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-517-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-516-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-515-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-514-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-513-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-512-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-511-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-464-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-509-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-508-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-507-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-466-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-463-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-501-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-503-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-502-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-504-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-500-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-499-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-498-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-497-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-496-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-495-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-494-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-493-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-492-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-491-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-490-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-489-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-488-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-487-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-486-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-485-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-484-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-483-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-482-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-481-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-1331-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/772-1332-0x0000000002050000-0x00000000021D1000-memory.dmp

Filesize
1.5MB

Download
memory/772-1668-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/772-4611-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-4612-0x0000000002300000-0x0000000002401000-memory.dmp

Filesize
1.0MB

Download
memory/772-57-0x0000000075C00000-0x0000000075C47000-memory.dmp

Filesize
284KB

Download
memory/772-55-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/772-505-0x00000000021E0000-0x00000000022F1000-memory.dmp

Filesize
1.1MB

Download
memory/772-4624-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/772-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1516-4616-0x0000000000000000-mapping.dmp

Download