Overview

overview

8

Static

static

qqjiahaoyo...PI.dll

windows7-x64

6

qqjiahaoyo...PI.dll

windows10-2004-x64

6

qqjiahaoyo...��.url

windows7-x64

1

qqjiahaoyo...��.url

windows10-2004-x64

1

qqjiahaoyo....2.exe

windows7-x64

8

qqjiahaoyo....2.exe

windows10-2004-x64

8

qqjiahaoyo...��.url

windows7-x64

1

qqjiahaoyo...��.url

windows10-2004-x64

1

Analysis

  • max time kernel
    178s
  • max time network
    184s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qqjiahaoyou-v2.2/嗨星QQ批量加好友工具2.2.exe

  • Size

    3.6MB

  • MD5

    01a797fb3950fc40b793a2a930961b69

  • SHA1

    e4a7a06b513e61baf2a3dbf7c1fff3946c6663cc

  • SHA256

    82e9ea69607c60c051e492d1443474baa3d1a59d956b0cd6009a67b982258ca8

  • SHA512

    60bec9c1fac173a161e4b84b0f151adbe76e14f6cad45268676f4bf2f8149e5475aeef244ed9ad312aa7ba15ac007cbb79a7fd4a18c912980cc8ec472a6a30ec

  • SSDEEP

    49152:hDjeP+ApznKhqavgYjXOUzIeZwmX4N2hbYiPTUQmJTaId+s8KuqGaX0ToIBAUZL8:9jeP+ApznWI4XOiIGX4NuEmNJBAUZLO7

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\嗨星QQ批量加好友工具2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\qqjiahaoyou-v2.2\嗨星QQ批量加好友工具2.2.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.12345ee.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8ebc6cc5225d1c5a798f28e5f4a08404

    SHA1

    dff95f38196dc96c5225f775ca034d645389ed89

    SHA256

    de6bf1473114d92f716c6b896fc763ec234f1a071f9d9a855dfe51c7eb8ff1b1

    SHA512

    ff2875ac08af51e18006b82bd02c4b13eeb3c65daa942db38ce6ae0b6c004645cf43d878c4ce0daa3273fa1c4fb77afe0c0aa165c1c98e0d9b700ea61b6b269f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
    Filesize

    9KB

    MD5

    243d83ff06212240ec27066c709367c4

    SHA1

    ab13b6e8f68ebf5d15b9be9af9d02b305507b0f9

    SHA256

    4dadd50890731dae9221fc6b861f61934cdeef1d9be20a1e4d34afc24644ed04

    SHA512

    8766c4971508e578786172e66d07165ccb990478423ec6f070d6982c21ea9d80e52b96cda35449420e69ce3c38477abffb2413b141f29ff6b73d3fe655048f8b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BX9OIZRB.txt
    Filesize

    601B

    MD5

    cdf903045145f64da8d129c6a9ce0254

    SHA1

    43d8ed501d5be0e681150c4fdff8114b1615f715

    SHA256

    1a52c2c69c02ec503a510b9d4bc00cfd8e68c4afa2e5b5f7d569786171bfaadc

    SHA512

    5dace0dae9c27defa0ff1dcaeb027c8a46bf5d109c3d6e6d99a4e8fadfb2650d6346ed8ce8b756b2d97f32022497c00f286c20df72390f61f7b5a1def63af8ab

    Download Submit
  • memory/1272-79-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-83-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-59-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-63-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-65-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-67-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-71-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-69-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-73-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-75-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-77-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-54-0x00000000764C1000-0x00000000764C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1272-81-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-61-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-85-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-87-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-91-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-89-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-93-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-95-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-97-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-98-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-57-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-56-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1272-55-0x0000000010000000-0x000000001003E000-memory.dmp
    Filesize

    248KB

    Download