Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 05:34

General

  • Target

    QQĦ¥ܼv22.4/qqĦ¥ܼҸv22.4.exe

  • Size

    1.6MB

  • MD5

    5948681981b28b91e2f6f8f1b8ca9629

  • SHA1

    2941b432bdd5fb18014c708bc929befbca9420c8

  • SHA256

    27e82e15d5a6911c6011eb91544bde282c13920cf79570569dde5f8f82e8d8f5

  • SHA512

    1e78e7ae17b76b812261f2ea744d27fc6925ffccb8016896e83aed9883f8936cef87542ce671981452b08b86bdb25149f98a0ca4dcdaf6224c3c6e05739e082e

  • SSDEEP

    24576:hRlGmKeaF18N8S/kFv8WRYEFOpmSXjDlGHsPNAMMxuOSUF4Up6dGx42EvGo78v5:fDKeGidQEPASPEHeIpX6dGfCGi4

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QQĦ¥ܼv22.4\qqĦ¥ܼҸv22.4.exe
    "C:\Users\Admin\AppData\Local\Temp\QQĦ¥ܼv22.4\qqĦ¥ܼҸv22.4.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://123.51pc114.cn/setup/QQMTDL1.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1168 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:692

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          340B

          MD5

          36dbb58e7b7c81a5d686bd8fb5bcd479

          SHA1

          37796abe1526f915382551d953f12a338f4100d9

          SHA256

          d6822adf2d5ff090c18d9d06f4847fe9d8fc05a21978ab681d3daa18733d13e3

          SHA512

          c86b221e6227b5adeea229b979d3a0cba93092fc566c705d6436a3bfb48a410fd32387512c130490fdb010fa924dfc42892e02f1df0b285319df069c56dc0cda

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat

          Filesize

          70KB

          MD5

          e541eae66fe599b75bcfac39eb569bd8

          SHA1

          60d1fc682302201063261b1fee682813a7252715

          SHA256

          c3bc6116c96b468d16089364c76f4a4e7ed759c7c1afaf77eca60ad9e6265169

          SHA512

          2bdcec779cd129ba1b32002fe9b983badd8bb43e540077019670ab156d254e49e015af1706991e0a2d66eac9a545f1ad65700b9ecf849b6b9cc2e3a3436732af

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2R49P5JD.txt

          Filesize

          603B

          MD5

          928e1564975405485a85833540fe9c3a

          SHA1

          5564a203da740409f54dcef03c0c635b16437146

          SHA256

          3ceaf0bdc5f28d02657f9e5f94c5720eea6e2c89f5802a94d4216afd79db06cf

          SHA512

          f94d348aa24b96d930604bba6136bf4e0b76935c60174b97e6eaacbcb910d7188915673859b47c78b2d1d882e2a2c03175c2c6f9a6d6588c9ff0e55671efe1a9

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4LDW4PKN.txt

          Filesize

          109B

          MD5

          3cfedc0c821975540cd5d35bd8dd6130

          SHA1

          5cc19ceaeef95e431b5a0d82021dfb5e8507077c

          SHA256

          d13f245f3953ff7d2807a6f755d14345c20bc0fb34863615a4a76bb1e67514bd

          SHA512

          b41b9533571d1e9f2b3c76b74d63884a3a3f3406b02a4d9036dc013e4f2701e4aabd4e64e3d94d33359e673353f07cf5a1bb2a9d34e6698a78c3e1c25dbfcc54

        • memory/1644-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

          Filesize

          8KB

        • memory/1644-56-0x0000000075030000-0x0000000075077000-memory.dmp

          Filesize

          284KB

        • memory/1644-461-0x0000000000400000-0x0000000000665000-memory.dmp

          Filesize

          2.4MB

        • memory/1644-465-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-464-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-463-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-468-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-467-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-466-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-524-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-523-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-522-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-521-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-520-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-519-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-518-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-517-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-516-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-515-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-514-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-513-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-512-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-511-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-510-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-509-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-508-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-507-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-506-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-505-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-504-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-503-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-502-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-501-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-500-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-499-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-498-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-497-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-496-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-495-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-494-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-493-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-492-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-491-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-490-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-489-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-488-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-487-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-486-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-485-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-484-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-483-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-482-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-481-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-480-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-479-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-478-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-477-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-476-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-475-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-474-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-473-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-472-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-471-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-470-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-469-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-1351-0x0000000001FA0000-0x00000000020A0000-memory.dmp

          Filesize

          1024KB

        • memory/1644-1353-0x0000000002190000-0x0000000002311000-memory.dmp

          Filesize

          1.5MB

        • memory/1644-4817-0x00000000024E0000-0x00000000025F1000-memory.dmp

          Filesize

          1.1MB

        • memory/1644-4818-0x0000000000400000-0x0000000000665000-memory.dmp

          Filesize

          2.4MB

        • memory/1644-4819-0x00000000023C0000-0x00000000024C1000-memory.dmp

          Filesize

          1.0MB

        • memory/1644-4820-0x0000000001FA0000-0x00000000020A0000-memory.dmp

          Filesize

          1024KB

        • memory/1644-4824-0x0000000000400000-0x0000000000665000-memory.dmp

          Filesize

          2.4MB