8d0af1a18fa64f8fc8ed93b285774b9abf78b0ba53cd19ea8db36537d35d71d4

Analysis

max time kernel
73s
max time network
134s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24/11/2022, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQõСܼҸv21.3.exe
Size

2.0MB
MD5

75aad66b86b68542107ec5c9aa5704eb
SHA1

a9c48fec3ae3f32a97b03754b4973d13b0ad92a8
SHA256

6b51d1f8b2c246dc1320f8541bb4394d627bb165b72a50a0a3425d7878bbe5b2
SHA512

e2a8d5ee59c8b9ba30d0236b88d59abf3519edc65d4e093e2f0c32c78962bcd1a42ac5e7b3eb5ade49978c9ed0444deab8f7bac2760261288e9d54158faff96f
SSDEEP

49152:A6jkHrZmyBsGRa70B9vNhYX8ntZUdHA2Bh/IjiohyGR/0Y/c1:j2rZtUQXvNh+7g2Bhwj9hn/0Mc

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	QQõСܼҸv21.3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51pc114.cn	QQõСܼҸv21.3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	QQõСܼҸv21.3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	QQõСܼҸv21.3.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.51pc114.cn	QQõСܼҸv21.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51pc114.cn\NumberOfSubdomains = "1"	QQõСܼҸv21.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	QQõСܼҸv21.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.51pc114.cn\ = "63"	QQõСܼҸv21.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\51pc114.cn\Total = "63"	QQõСܼҸv21.3.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	QQõСܼҸv21.3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	QQõСܼҸv21.3.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe
1632	QQõСܼҸv21.3.exe

C:\Users\Admin\AppData\Local\Temp\QQõСܼҸv21.3.exe
"C:\Users\Admin\AppData\Local\Temp\QQõСܼҸv21.3.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000075860000-0x00000000758A7000-memory.dmp

Filesize
284KB

Download
memory/1632-465-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-464-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-463-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-462-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-466-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-468-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/1632-467-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-469-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-470-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-471-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-472-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-474-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-475-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-473-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-479-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-478-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-477-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-482-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-485-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-484-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-483-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-481-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-480-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-476-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-486-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-488-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-487-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-491-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-495-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-496-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-494-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-502-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-501-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-524-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-523-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-522-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-521-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-520-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-519-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-518-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-517-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-516-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-515-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-514-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-513-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-512-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-511-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-510-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-509-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-508-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-507-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-506-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-505-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-504-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-503-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-500-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-499-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-498-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-497-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-492-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-493-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-489-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-490-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-1527-0x0000000002200000-0x0000000002300000-memory.dmp

Filesize
1024KB

Download
memory/1632-1529-0x0000000002410000-0x0000000002591000-memory.dmp

Filesize
1.5MB

Download
memory/1632-4616-0x0000000002200000-0x0000000002300000-memory.dmp

Filesize
1024KB

Download
memory/1632-4617-0x00000000026C0000-0x00000000027D1000-memory.dmp

Filesize
1.1MB

Download
memory/1632-4618-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/1632-4619-0x00000000025A0000-0x00000000026A1000-memory.dmp

Filesize
1.0MB

Download
memory/1632-4621-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download
memory/1632-4622-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads