b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

Analysis

max time kernel
145s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf.dll
Size

222KB
MD5

bf5c56128c20c9b250e3ccf5cc14171a
SHA1

29ac1a43682ea5347b8e6ef7a24427c494f77b78
SHA256

b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf
SHA512

66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5
SSDEEP

3072:EXvXq7YTc//////GqBzPtgXDXvRTVki1ZNXy2Zq:mqsTc//////VWtVki1/CT

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1740	inc2f.BBC
580	QQimp3.exe

Loads dropped DLL 5 IoCs

pid	Process
1068	rundll32.exe
1068	rundll32.exe
1740	inc2f.BBC
1740	inc2f.BBC
580	QQimp3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\admin.obj	QQimp3.exe
File opened for modification	\??\c:\program files\google\chrome\application\89.0.4389.114\installer\ws2help.dll	QQimp3.exe
File created	\??\c:\program files (x86)\common files\adobe air\versions\1.0\ws2help.dll	rundll32.exe
File created	C:\Program Files (x86)\Common Files\System\QQimp3.exebnb	inc2f.BBC
File opened for modification	C:\Program Files (x86)\Common Files\System\QQimp3.exe	inc2f.BBC
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\ws2help.dll	QQimp3.exe
File opened for modification	\??\c:\program files (x86)\common files\adobe air\versions\1.0\ws2help.dll	rundll32.exe
File created	\??\c:\program files\google\chrome\application\89.0.4389.114\installer\ws2help.dll	rundll32.exe
File opened for modification	\??\c:\program files (x86)\common files\adobe air\versions\1.0\ws2help.dll	QQimp3.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\ws2help.dll	rundll32.exe
File created	C:\Program Files (x86)\Common Files\System\htrn_jis.tmp	QQimp3.exe
File created	C:\Program Files (x86)\Common Files\System\htrn_jis.dll	QQimp3.exe
File opened for modification	\??\c:\program files\google\chrome\application\89.0.4389.114\installer\ws2help.dll	rundll32.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\ws2help.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	QQimp3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	QQimp3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1448	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	inc2f.BBC
Token: SeDebugPrivilege	580	QQimp3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	inc2f.BBC

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 2020 wrote to memory of 1068	2020	rundll32.exe	28
PID 1068 wrote to memory of 1740	1068	rundll32.exe	29
PID 1068 wrote to memory of 1740	1068	rundll32.exe	29
PID 1068 wrote to memory of 1740	1068	rundll32.exe	29
PID 1068 wrote to memory of 1740	1068	rundll32.exe	29
PID 1740 wrote to memory of 580	1740	inc2f.BBC	30
PID 1740 wrote to memory of 580	1740	inc2f.BBC	30
PID 1740 wrote to memory of 580	1740	inc2f.BBC	30
PID 1740 wrote to memory of 580	1740	inc2f.BBC	30
PID 1740 wrote to memory of 1276	1740	inc2f.BBC	31
PID 1740 wrote to memory of 1276	1740	inc2f.BBC	31
PID 1740 wrote to memory of 1276	1740	inc2f.BBC	31
PID 1740 wrote to memory of 1276	1740	inc2f.BBC	31
PID 1276 wrote to memory of 1244	1276	cmd.exe	33
PID 1276 wrote to memory of 1244	1276	cmd.exe	33
PID 1276 wrote to memory of 1244	1276	cmd.exe	33
PID 1276 wrote to memory of 1244	1276	cmd.exe	33
PID 1740 wrote to memory of 792	1740	inc2f.BBC	34
PID 1740 wrote to memory of 792	1740	inc2f.BBC	34
PID 1740 wrote to memory of 792	1740	inc2f.BBC	34
PID 1740 wrote to memory of 792	1740	inc2f.BBC	34
PID 792 wrote to memory of 1448	792	cmd.exe	36
PID 792 wrote to memory of 1448	792	cmd.exe	36
PID 792 wrote to memory of 1448	792	cmd.exe	36
PID 792 wrote to memory of 1448	792	cmd.exe	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\inc2f.BBC
    inc2f.BBC
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files (x86)\Common Files\System\QQimp3.exe
      "C:\Program Files (x86)\Common Files\System\QQimp3.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c erase /A:RHSA "C:\Users\Admin\AppData\Local\Temp\inc2f.BBC"&cmd /c del "C:\Users\Admin\AppData\Local\Temp\inc2f.BBC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\inc2f.BBC"
        5⤵
        
        PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ping -n 2 127.0.0.1>nul&del /F /Q /A : RSAH "C:\Users\Admin\AppData\Local\Temp\inc2f.BBC"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\System\QQimp3.exe

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
C:\Program Files (x86)\Common Files\System\QQimp3.exe

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc2f.BBC

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\inc2f.BBC

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
\??\c:\program files (x86)\common files\adobe air\versions\1.0\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\program files (x86)\common files\microsoft shared\office14\office setup controller\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\program files\google\chrome\application\89.0.4389.114\installer\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\??\c:\programdata\package cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\ws2help.dll

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\Program Files (x86)\Common Files\System\QQimp3.exe

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
\Program Files (x86)\Common Files\System\QQimp3.exe

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
\Program Files (x86)\Common Files\System\admin.obj

Filesize
222KB

MD5
bf5c56128c20c9b250e3ccf5cc14171a

SHA1
29ac1a43682ea5347b8e6ef7a24427c494f77b78

SHA256
b76b4b8eb90d967e0b7299c7773850a8f2edd64d13ec924ba0966aad1e6b2ddf

SHA512
66d836eb065a81fdb96d73d59a64709082dd026a93bb875a9e6beee327d8ccb89d292231e860e56cf721a34b55974dfc06d63999ae582de89330671a0333bed5

Download Submit
\Users\Admin\AppData\Local\Temp\inc2f.BBC

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
\Users\Admin\AppData\Local\Temp\inc2f.BBC

Filesize
207KB

MD5
15f6df7ca649578efb4c4410678e0bb8

SHA1
16fd9761f19019c493cabb95a6007610f2c6e106

SHA256
aeca3d0a31a25d5cab8e0aaa72aa0f8d8cc7560132dc0090bcde43b31647d3b3

SHA512
474aa52e6abd3122735bd4fff58ff5a80cba889a6106254105b846d392fa80cc22c9c783d393c5e332f142aef273edd2a1dfbb457ba7b1e51285ba86953cd94d

Download Submit
memory/1068-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1740-61-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download