Overview
overview
8Static
static
qqjiahaoyo...PI.dll
windows7-x64
6qqjiahaoyo...PI.dll
windows10-2004-x64
6qqjiahaoyo...��.url
windows7-x64
1qqjiahaoyo...��.url
windows10-2004-x64
1qqjiahaoyo....2.exe
windows7-x64
8qqjiahaoyo....2.exe
windows10-2004-x64
8qqjiahaoyo...��.url
windows7-x64
1qqjiahaoyo...��.url
windows10-2004-x64
1Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 22:09
Static task
static1
Behavioral task
behavioral1
Sample
qqjiahaoyou-v2.2/CrackCaptchaAPI.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
qqjiahaoyou-v2.2/CrackCaptchaAPI.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
qqjiahaoyou-v2.2/去脚本之家看看.url
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
qqjiahaoyou-v2.2/去脚本之家看看.url
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
qqjiahaoyou-v2.2/嗨星QQ批量加好友工具2.2.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
qqjiahaoyou-v2.2/嗨星QQ批量加好友工具2.2.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
qqjiahaoyou-v2.2/服务器软件.url
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
qqjiahaoyou-v2.2/服务器软件.url
Resource
win10v2004-20221111-en
General
-
Target
qqjiahaoyou-v2.2/CrackCaptchaAPI.dll
-
Size
1.3MB
-
MD5
9a4965011a94705227f62df0776f2ab6
-
SHA1
fe91972e1c993731cdacc7429c4f4760672adcf7
-
SHA256
a9ea79e9c5017616ca9085351ef166f35882ad5a201b92c4839ffdf1169e4113
-
SHA512
e74bc303d99a2151dd00b8f4da0aabd70b37fe46a74702034a5a0ab3da7cad9ad0b7d69b960a10d0876ad5b660e1b868c8956e8d05321f7120f480baee34378a
-
SSDEEP
24576:ll7VKWLgjBTGxuQi0aqj45fnNVWhb0yX6i2JHoBTURfymDdTELFI:lwmX4N2hbYiPTUQmJTa
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 612 932 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 976 wrote to memory of 932 976 rundll32.exe rundll32.exe PID 932 wrote to memory of 612 932 rundll32.exe WerFault.exe PID 932 wrote to memory of 612 932 rundll32.exe WerFault.exe PID 932 wrote to memory of 612 932 rundll32.exe WerFault.exe PID 932 wrote to memory of 612 932 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\CrackCaptchaAPI.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\CrackCaptchaAPI.dll,#12⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 2403⤵
- Program crash