735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67

Analysis

max time kernel
145s
max time network
135s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe
Size

198KB
MD5

6662c66c765ae606e9c5d46d79f4b3ed
SHA1

45bb2475a16a43d7f3887d8795864d6b0f7dc486
SHA256

735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67
SHA512

1cfd9de35ee451c081852aae395f511685d00a099fffec59a4458448cf8c7e24c9160accb0f46f6b4146a1d223d6ba29b1b72b063a211ea32e474320a2da8ca7
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOp:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXU

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	qqwhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\qqwhost.exe	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe
File opened for modification	C:\Windows\Debug\qqwhost.exe	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qqwhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qqwhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2348	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2764	2348	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe	29
PID 2348 wrote to memory of 2764	2348	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe	29
PID 2348 wrote to memory of 2764	2348	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe	29
PID 2348 wrote to memory of 2764	2348	735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe	29

C:\Users\Admin\AppData\Local\Temp\735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe
"C:\Users\Admin\AppData\Local\Temp\735146e39beb6fa328395af567e5712a516addf8779a6ad122ae2395ad883d67.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\735146~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2764

C:\Windows\Debug\qqwhost.exe
C:\Windows\Debug\qqwhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\qqwhost.exe

Filesize
198KB

MD5
cd4cb37b2293a153b9667ebeca4a40f3

SHA1
3eaeab581e30ad5e1251d80b07bb125678891424

SHA256
0aaa8068912354b21dcb48844eee1fe528c3ad80882e159ebefaf62cbd1381de

SHA512
7e883114d88af26c2825786d233548c5f0fc169ea84a3b4f100139b93f55c5fe4ca775f6612dfe6f6e2122509b311b2b899356c063d7c02db6152346196367c7

Download Submit