Overview

overview

9

Static

static

腾讯会è...»¶.exe

windows7-x64

9

腾讯会è...»¶.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2022 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    腾讯会议软件.exe

  • Size

    2.0MB

  • MD5

    5b9e8345fab7397985cd60729797abc6

  • SHA1

    21d8e0efd71f4f00e8138360e56e72dbf533890a

  • SHA256

    aacf9aa69f796273438327be6d804d20837272b331eb3b7689b431148a07c88d

  • SHA512

    c505609e8de8c29f78490833f34a355d41eb3a6057919aa7f23ab9ae7ac83cef3b64f0116bba0ca145dbb17b1c2c3b18546d31af2397b82260f4cf708a709f75

  • SSDEEP

    49152:R/BU6vSPotkoQsbJhPI2q056dN216k4xIURegVMw:R/BU6vSPotPQsbJhPI2qexFJEegVMw

Score
9/10
bootkitevasionpersistencetrojanupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe
    "C:\Users\Admin\AppData\Local\Temp\腾讯会议软件.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"876" -LogFileName:"C:\Users\Admin\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\Admin\AppData\Local\Temp\kantivirus" -Tid1:"10" -Tid2:"166" -Tod1:"508" -Tod2:"1" -IId:"209641155" -UUID:"251731C104CF8F95CFD378F84A615549" -TryNo:"1335" -SvrId:"2022.SP4.1" -StrategyList:"0->1" -Version:"2" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0"
      2⤵
      • Executes dropped EXE
      PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
    Filesize

    409KB

    MD5

    39ce66cbf9cbf36472d3dec7332f0451

    SHA1

    625ab0e27ebf28b49627c156f8c4595c979adbed

    SHA256

    446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533

    SHA512

    00a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
    Filesize

    409KB

    MD5

    39ce66cbf9cbf36472d3dec7332f0451

    SHA1

    625ab0e27ebf28b49627c156f8c4595c979adbed

    SHA256

    446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533

    SHA512

    00a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
    Filesize

    87.0MB

    MD5

    c397a0085bf97f3f2bf526b5c791cfdf

    SHA1

    0b9c663a318a4c06ad816f5afff9ae8831d50254

    SHA256

    f8fde5d1e78f100b60c8ce5ff8e6f49848452e30126b83d6bc65596cb594d3d6

    SHA512

    badd7791f2c6d34f392ef80ff17ace2852bb9deeb4649f811c5c8b4b4ff67a9ca396c7ec2176142c4724df0cb321732e9d9528765e3ef802b2ba6c8b9b552c00

    Download Submit
  • memory/876-133-0x0000000010000000-0x00000000103D1000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/876-134-0x0000000010000000-0x00000000103D1000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1132-135-0x0000000000000000-mapping.dmp
    Download