dafef583bd979ed6e5d6c87d8d658b89afc4cd1e7c31e7fceb2b30718ecab2ed

General

Target

QQƱͼ_.exe
Size

1.2MB
MD5

694ca266aaa0bcb3d75348e259346de6
SHA1

9a8b50699d67f6fe56efad1da7b990c380782a7b
SHA256

f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb
SHA512

77a9f2ae86d3e4876a3c165d960580863f77b1f324519ae8200e4a9985faec138cafdcae4d30c874b64ec5a63c486cb5dcb93bd942a87886c3230b4e174c1952
SSDEEP

24576:8mtOGTYtxBLLMBLvVJ3zzs337HOek5ThTYcxkGML5DVEVuPVMDP:8mvTYtxBynMO9Zh9kfFPeb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

CCG0.exeCCG1.exe

pid process

4144 CCG0.exe
3472 CCG1.exe
Drops file in System32 directory 1 IoCs

Processes:

CCG1.exe

description ioc process

File created C:\Windows\SysWOW64\black.txt CCG1.exe

pid	process
4144	CCG0.exe
3472	CCG1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\black.txt	CCG1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 55 IoCs

Processes:

QQƱͼ_.exe

pid	process
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe
2672	QQƱͼ_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

QQƱͼ_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	QQƱͼ_.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	QQƱͼ_.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

CCG0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com	CCG0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	CCG0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	CCG0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com	CCG0.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	CCG0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CCG1.exe

description pid process

Token: SeDebugPrivilege 3472 CCG1.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

CCG0.exe

pid process

4144 CCG0.exe
4144 CCG0.exe
4144 CCG0.exe
4144 CCG0.exe

description	pid	process
Token: SeDebugPrivilege	3472	CCG1.exe

pid	process
4144	CCG0.exe
4144	CCG0.exe
4144	CCG0.exe
4144	CCG0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

QQƱͼ_.exe

description	pid	process	target process
PID 2672 wrote to memory of 4144	2672	QQƱͼ_.exe	CCG0.exe
PID 2672 wrote to memory of 4144	2672	QQƱͼ_.exe	CCG0.exe
PID 2672 wrote to memory of 4144	2672	QQƱͼ_.exe	CCG0.exe
PID 2672 wrote to memory of 3472	2672	QQƱͼ_.exe	CCG1.exe
PID 2672 wrote to memory of 3472	2672	QQƱͼ_.exe	CCG1.exe
PID 2672 wrote to memory of 3472	2672	QQƱͼ_.exe	CCG1.exe

C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe
"C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Users\Admin\AppData\Local\Temp\CCG1.exe
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG0.exe
Filesize
644KB

MD5
607b068b6455737865aed2871d19bc5c

SHA1
82fb760b3852988dbb8b31a198bcbfec9d4eb5f8

SHA256
83dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095

SHA512
6f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CCG1.exe
Filesize
16KB

MD5
1152bed8083e823b20c6500eb0d9adeb

SHA1
9a8fe6524878f3b454e86a12e8991a164b9bdff6

SHA256
69c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792

SHA512
5bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db

Download Submit
memory/2672-1488-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2672-1479-0x00000000024B0000-0x00000000025B0000-memory.dmp

Filesize
1024KB

Download
memory/2672-1487-0x00000000024B0000-0x00000000025B0000-memory.dmp

Filesize
1024KB

Download
memory/2672-137-0x0000000075AF0000-0x0000000075B6A000-memory.dmp

Filesize
488KB

Download
memory/2672-136-0x00000000766F0000-0x0000000076890000-memory.dmp

Filesize
1.6MB

Download
memory/2672-132-0x0000000077520000-0x00000000776C3000-memory.dmp

Filesize
1.6MB

Download
memory/2672-134-0x0000000076390000-0x00000000765A5000-memory.dmp

Filesize
2.1MB

Download
memory/2672-133-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2672-1486-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3472-1483-0x0000000000000000-mapping.dmp

Download
memory/4144-1480-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads