bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe
Size

177KB
MD5

2e8abba82d88e88eb2620dfac27f3287
SHA1

1813e14adcc686b4b68009fc592472cc3343bf40
SHA256

bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203
SHA512

a38e90a63b06eda1e56f4a9190ebf78a08644b9f6d162f973c58efd973d89165feee55f8cc1d20677e92175fee5cc08b3833d784d9644d5230d78cc75d04b13c
SSDEEP

3072:cwb6BmPH+Wjh7bGzzeRF0rcOXDwOV9lNMpOTwu+hC8/aLJv2pgncbJ:cutvbtSeR8cOXPVSpOTAB/EuKcN

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1728-132-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral2/memory/1728-133-0x0000000000400000-0x0000000000479000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQShow = "C:\\Program Files\\Tencent\\QQView\\QQShow.exe"	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Tencent\QQView\QQShow.exe	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe
File created	C:\Program Files\Tencent\QQView\QQShow.exe	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1728	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe
1728	bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe

C:\Users\Admin\AppData\Local\Temp\bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe
"C:\Users\Admin\AppData\Local\Temp\bf3e625cea6df8fe761117434aba0f11fc987446e4998c55831f9558a8ca5203.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-132-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1728-133-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download