116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
23/09/2023, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe
Size

198KB
MD5

f4aa487da03965096513881769e50a6b
SHA1

55eed4964379c44e74cd6d93267bd61a3cab40fe
SHA256

116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5
SHA512

b30b91efc8f31c2ff7f39fdfba3064ec7f9c0fd86961f54147585722760d8e1ca247166bdfacf56bc4f1cc7763376316d15170b64eb9036093caeefbbebed4bf
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCO+:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXz

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1404	qqwhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\qqwhost.exe	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe
File opened for modification	C:\Windows\Debug\qqwhost.exe	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qqwhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qqwhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1412	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 2268	1412	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe	29
PID 1412 wrote to memory of 2268	1412	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe	29
PID 1412 wrote to memory of 2268	1412	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe	29
PID 1412 wrote to memory of 2268	1412	116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe	29

C:\Users\Admin\AppData\Local\Temp\116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe
"C:\Users\Admin\AppData\Local\Temp\116e6b40f5c10fa0174cbcbc8a58505d29e502ffcd00dd5f03f2182063c87ce5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\116E6B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2268

C:\Windows\Debug\qqwhost.exe
C:\Windows\Debug\qqwhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\qqwhost.exe

Filesize
198KB

MD5
8bf30471861e53c7af8939986ca287b0

SHA1
d16f6a340471a851098829ed15038f0fdb182ca2

SHA256
53946e140f6b7cb89ce9fe1c53c8e322fe1a8a94e8ecb4823e5c58ddb04bbd84

SHA512
3c3dae341785da9cd007f329944b29c97d26531b54545b050f0047722c3c522610eacefcbbe9ed109dfcd3d33977edcc666bd0c9722e0ef68491c5039fa10a9f

Download Submit
C:\Windows\debug\qqwhost.exe

Filesize
198KB

MD5
8bf30471861e53c7af8939986ca287b0

SHA1
d16f6a340471a851098829ed15038f0fdb182ca2

SHA256
53946e140f6b7cb89ce9fe1c53c8e322fe1a8a94e8ecb4823e5c58ddb04bbd84

SHA512
3c3dae341785da9cd007f329944b29c97d26531b54545b050f0047722c3c522610eacefcbbe9ed109dfcd3d33977edcc666bd0c9722e0ef68491c5039fa10a9f

Download Submit