120550fcc0d7eaf24bfdac08615b1bdad4d79ea0fd2bc0dac7048d0beb3b3a7d

Analysis

max time kernel
87s
max time network
36s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 17:26

Target

QQȺӪ.exe
Size

81KB
MD5

72d8e2c1558a77e90a1274177b16a65c
SHA1

5c54277fa87e43596a58bb2b1fea23147e55b36f
SHA256

5cbb6f8f780c1169ee530f9f74b319ea40b22aac28c67ea9fcd7327f0de90b4e
SHA512

c7350797c3951d1d0c31c5a9d61744bd2da12fc0b478ff8196910814edbd2b0d42dd0f79ddf3ff4d77a948e72cb2a61e938e01c8e26953b275da343543da9f9a
SSDEEP

768:Vhttdb3QKIwlUar5RrbHjBGNfMT+Lde7yvGq:VbkK5lUar5RrbHjBGuKe7wD

Score

8^/10

vmprotect

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

Processes:

resource	yara_rule
behavioral25/memory/1992-59-0x0000000010000000-0x0000000010255000-memory.dmp	vmprotect
behavioral25/memory/1992-61-0x0000000010000000-0x0000000010255000-memory.dmp	vmprotect
behavioral25/memory/1992-63-0x0000000010000000-0x0000000010255000-memory.dmp	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

QQȺӪ.exeqq_post.exe

description	pid	process	target process
PID 1180 wrote to memory of 1992	1180	QQȺӪ.exe	qq_post.exe
PID 1180 wrote to memory of 1992	1180	QQȺӪ.exe	qq_post.exe
PID 1180 wrote to memory of 1992	1180	QQȺӪ.exe	qq_post.exe
PID 1180 wrote to memory of 1992	1180	QQȺӪ.exe	qq_post.exe
PID 1992 wrote to memory of 1228	1992	qq_post.exe	dw20.exe
PID 1992 wrote to memory of 1228	1992	qq_post.exe	dw20.exe
PID 1992 wrote to memory of 1228	1992	qq_post.exe	dw20.exe
PID 1992 wrote to memory of 1228	1992	qq_post.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\QQȺӪ.exe
"C:\Users\Admin\AppData\Local\Temp\QQȺӪ.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\qq_post.exe
  "C:\Users\Admin\AppData\Local\Temp\qq_post.exe" QQȺӪ.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 660
    3⤵
    PID:1228

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1180-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1180-55-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1180-58-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-65-0x0000000000000000-mapping.dmp

Download
memory/1992-56-0x0000000000000000-mapping.dmp

Download
memory/1992-59-0x0000000010000000-0x0000000010255000-memory.dmp

Filesize
2.3MB

Download
memory/1992-61-0x0000000010000000-0x0000000010255000-memory.dmp

Filesize
2.3MB

Download
memory/1992-62-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-63-0x0000000010000000-0x0000000010255000-memory.dmp

Filesize
2.3MB

Download
memory/1992-64-0x00000000749C0000-0x0000000074F6B000-memory.dmp

Filesize
5.7MB

Download