Overview

overview

9

Static

static

9

Usp10.dll

windows7-x64

1

Usp10.dll

windows10-2004-x64

1

qqmsgsee.exe

windows7-x64

8

qqmsgsee.exe

windows10-2004-x64

8

使用必读.url

windows7-x64

1

使用必读.url

windows10-2004-x64

1

华彩软件站.url

windows7-x64

1

华彩软件站.url

windows10-2004-x64

1

Analysis

  • max time kernel
    142s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    qqmsgsee.exe

  • Size

    232KB

  • MD5

    d7d5a8136962ee21e14fa33f127064da

  • SHA1

    f97737161502842fa07add7b89be3b34271df3c3

  • SHA256

    2045a435826ab52f8f80b9d1de96c6be728971cbdc2dd601864d358a6977c92f

  • SHA512

    da0cade98fae9ef332ebec7b51b513b73402da1e4ed5ba3b1d7078caa957d9bf66da3ca9e865e54102aed546f5948ffad8bae87c4abb19363df97f8d4eb26a2b

  • SSDEEP

    3072:AMdgD6dbNFko1ayFCpEZWCfEgl+D7t5VOcoF/7UbNVLPLcqcoMaUfdqMwuW0Gc3I:Jdge1NFVH0pwpMfN5V7bzooMkMwHc0U

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\qqmsgsee.exe
    "C:\Users\Admin\AppData\Local\Temp\qqmsgsee.exe"
    1⤵
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\winvrtd.exe
      "C:\Windows\system32\winvrtd.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of FindShellTrayWindow
      PID:4224

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\winvrtd.exe
    Filesize

    128KB

    MD5

    b4e8d5954975ae43cbf09bf0d7992683

    SHA1

    c530cfaf2d82d3cc1839e8dbca40148b276fad79

    SHA256

    5bb33f70e6dd09970031cfadbce415345f0ce77ea78c030376f8d54d8d5c8142

    SHA512

    0da4996cd7d22517f9ba265ece55f802f651b43cbfd17f878365a794d991574dc24b7361c22c8886eac135d86663296812d7fcb9ed2650f44a63339010775810

    Download Submit

  • C:\Windows\SysWOW64\winvrtd.exe
    Filesize

    128KB

    MD5

    b4e8d5954975ae43cbf09bf0d7992683

    SHA1

    c530cfaf2d82d3cc1839e8dbca40148b276fad79

    SHA256

    5bb33f70e6dd09970031cfadbce415345f0ce77ea78c030376f8d54d8d5c8142

    SHA512

    0da4996cd7d22517f9ba265ece55f802f651b43cbfd17f878365a794d991574dc24b7361c22c8886eac135d86663296812d7fcb9ed2650f44a63339010775810

    Download Submit

  • memory/2064-135-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-132-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-136-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-137-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-138-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-134-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-133-0x0000000000A40000-0x0000000000A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2064-142-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/2064-143-0x0000000000A40000-0x0000000000A7E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2064-144-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/4224-139-0x0000000000000000-mapping.dmp

    Download