Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
QQƱͼ_.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
QQƱͼ_.exe
Resource
win10v2004-20220812-en
General
-
Target
QQƱͼ_.exe
-
Size
1.2MB
-
MD5
694ca266aaa0bcb3d75348e259346de6
-
SHA1
9a8b50699d67f6fe56efad1da7b990c380782a7b
-
SHA256
f3317ddd5990fce70e4dd07790711e8daa14e72fbafbea0aa1171f5f330dbeeb
-
SHA512
77a9f2ae86d3e4876a3c165d960580863f77b1f324519ae8200e4a9985faec138cafdcae4d30c874b64ec5a63c486cb5dcb93bd942a87886c3230b4e174c1952
-
SSDEEP
24576:8mtOGTYtxBLLMBLvVJ3zzs337HOek5ThTYcxkGML5DVEVuPVMDP:8mvTYtxBynMO9Zh9kfFPeb
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
CCG0.exeCCG1.exepid process 4144 CCG0.exe 3472 CCG1.exe -
Drops file in System32 directory 1 IoCs
Processes:
CCG1.exedescription ioc process File created C:\Windows\SysWOW64\black.txt CCG1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 55 IoCs
Processes:
QQƱͼ_.exepid process 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe 2672 QQƱͼ_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
QQƱͼ_.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS QQƱͼ_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer QQƱͼ_.exe -
Processes:
CCG0.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com CCG0.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\qq.com\NumberOfSubdomains = "1" CCG0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch CCG0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" CCG0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync CCG0.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" CCG0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\qq.com CCG0.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage CCG0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CCG1.exedescription pid process Token: SeDebugPrivilege 3472 CCG1.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
CCG0.exepid process 4144 CCG0.exe 4144 CCG0.exe 4144 CCG0.exe 4144 CCG0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
QQƱͼ_.exedescription pid process target process PID 2672 wrote to memory of 4144 2672 QQƱͼ_.exe CCG0.exe PID 2672 wrote to memory of 4144 2672 QQƱͼ_.exe CCG0.exe PID 2672 wrote to memory of 4144 2672 QQƱͼ_.exe CCG0.exe PID 2672 wrote to memory of 3472 2672 QQƱͼ_.exe CCG1.exe PID 2672 wrote to memory of 3472 2672 QQƱͼ_.exe CCG1.exe PID 2672 wrote to memory of 3472 2672 QQƱͼ_.exe CCG1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe"C:\Users\Admin\AppData\Local\Temp\QQƱͼ_.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\CCG0.exeC:\Users\Admin\AppData\Local\Temp\CCG0.exe2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4144 -
C:\Users\Admin\AppData\Local\Temp\CCG1.exeC:\Users\Admin\AppData\Local\Temp\CCG1.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CCG0.exeFilesize
644KB
MD5607b068b6455737865aed2871d19bc5c
SHA182fb760b3852988dbb8b31a198bcbfec9d4eb5f8
SHA25683dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095
SHA5126f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8
-
C:\Users\Admin\AppData\Local\Temp\CCG0.exeFilesize
644KB
MD5607b068b6455737865aed2871d19bc5c
SHA182fb760b3852988dbb8b31a198bcbfec9d4eb5f8
SHA25683dfabff856f954323c12a4d4fa974b9e4fbd21547d6cd78bd1aca080ca10095
SHA5126f65ab430f817a4a66a17ea5b996e1123c3df024db11ed4351a30d4282d64a4901d879ca12d187e6eabfdffe4fe6f5063adb98a0c77061314959038c8b3edeb8
-
C:\Users\Admin\AppData\Local\Temp\CCG1.exeFilesize
16KB
MD51152bed8083e823b20c6500eb0d9adeb
SHA19a8fe6524878f3b454e86a12e8991a164b9bdff6
SHA25669c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792
SHA5125bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db
-
C:\Users\Admin\AppData\Local\Temp\CCG1.exeFilesize
16KB
MD51152bed8083e823b20c6500eb0d9adeb
SHA19a8fe6524878f3b454e86a12e8991a164b9bdff6
SHA25669c4107f9a5b88799df07062cd3c863016d32512d7793506404a28a73da09792
SHA5125bf8a330bdb1789ffeed2858d1055439ff1f8c88b9711123fc08549871f18c69c71fa655f2c79fb6c27b68b86f9694d9fc4418156c454eae2201713e7e8eb1db
-
memory/2672-1488-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2672-1479-0x00000000024B0000-0x00000000025B0000-memory.dmpFilesize
1024KB
-
memory/2672-1487-0x00000000024B0000-0x00000000025B0000-memory.dmpFilesize
1024KB
-
memory/2672-137-0x0000000075AF0000-0x0000000075B6A000-memory.dmpFilesize
488KB
-
memory/2672-136-0x00000000766F0000-0x0000000076890000-memory.dmpFilesize
1.6MB
-
memory/2672-132-0x0000000077520000-0x00000000776C3000-memory.dmpFilesize
1.6MB
-
memory/2672-134-0x0000000076390000-0x00000000765A5000-memory.dmpFilesize
2.1MB
-
memory/2672-133-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/2672-1486-0x0000000000400000-0x000000000052E000-memory.dmpFilesize
1.2MB
-
memory/3472-1483-0x0000000000000000-mapping.dmp
-
memory/4144-1480-0x0000000000000000-mapping.dmp