Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
88adccaaa565b5f653bc4dbae68a743f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
88adccaaa565b5f653bc4dbae68a743f.exe
Resource
win10v2004-20231215-en
General
-
Target
88adccaaa565b5f653bc4dbae68a743f.exe
-
Size
4.8MB
-
MD5
88adccaaa565b5f653bc4dbae68a743f
-
SHA1
752fe547973d6caa362e6ecffd0ebafa94d58788
-
SHA256
bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2
-
SHA512
2b66253e4296aa837a8509a7310c26c5ab2c6860d37c94e0fa56c4db5ec72158368c96a63aea2cf9a261df65b24cfa5642504934bed6939d0e6e0d362fe86cb3
-
SSDEEP
98304:71vqjSOikxqQEHx5YAHpPybO0yh8g/oMx6dwFSfwCEQ:7VqDqQEHTL0u8eo0UwC3
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00060000000162d1-58.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 2736 QQNetBar.exe 2592 qqwb_protect.exe -
Loads dropped DLL 6 IoCs
pid Process 1352 88adccaaa565b5f653bc4dbae68a743f.exe 1352 88adccaaa565b5f653bc4dbae68a743f.exe 2736 QQNetBar.exe 2592 qqwb_protect.exe 2592 qqwb_protect.exe 2592 qqwb_protect.exe -
resource yara_rule behavioral1/files/0x00060000000162d1-58.dat upx behavioral1/memory/2736-60-0x0000000074CC0000-0x0000000074E53000-memory.dmp upx behavioral1/memory/2736-88-0x0000000074CC0000-0x0000000074E53000-memory.dmp upx -
resource yara_rule behavioral1/files/0x0009000000015c41-67.dat vmprotect behavioral1/files/0x0009000000015c41-68.dat vmprotect behavioral1/memory/2592-78-0x0000000000400000-0x00000000007CB000-memory.dmp vmprotect behavioral1/memory/2592-91-0x0000000000400000-0x00000000007CB000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" qqwb_protect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qqwb_protect.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz qqwb_protect.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2736 QQNetBar.exe 2592 qqwb_protect.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2736 1352 88adccaaa565b5f653bc4dbae68a743f.exe 28 PID 1352 wrote to memory of 2736 1352 88adccaaa565b5f653bc4dbae68a743f.exe 28 PID 1352 wrote to memory of 2736 1352 88adccaaa565b5f653bc4dbae68a743f.exe 28 PID 1352 wrote to memory of 2736 1352 88adccaaa565b5f653bc4dbae68a743f.exe 28 PID 2736 wrote to memory of 2792 2736 QQNetBar.exe 29 PID 2736 wrote to memory of 2792 2736 QQNetBar.exe 29 PID 2736 wrote to memory of 2792 2736 QQNetBar.exe 29 PID 2736 wrote to memory of 2792 2736 QQNetBar.exe 29 PID 2756 wrote to memory of 2592 2756 explorer.exe 31 PID 2756 wrote to memory of 2592 2756 explorer.exe 31 PID 2756 wrote to memory of 2592 2756 explorer.exe 31 PID 2756 wrote to memory of 2592 2756 explorer.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exeC:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\explorer.exeC:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe3⤵PID:2792
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
497KB
MD5f9db05a8a9e19661b334d968a71122bf
SHA10369d6c2b6cec49c3dd8bb4c5662d9b5eb267843
SHA256bc29b6ca92b56bd2d68fc1751d42454664a8c8074b5f7cba24be911f57a809a5
SHA512f308715df2bf81e24da37f7f135ec1ee45ffb59e1096bf7fcebbe835dbd5cb036015392240dbe1662702e2f54817fed229b919eccfd93bad5f4028952c2a8631
-
Filesize
33B
MD53bf136f7f83643b7f5eba261bb4c2ffa
SHA132d155fe5d99056407bb9073e4eb782c9f3b884d
SHA2563d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815
SHA5121f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f
-
Filesize
534KB
MD501880bb3ca6c8f35eab0c02060651bb0
SHA15959950d50b464903f06704f9d8d84d13be1ee42
SHA2566dd12ea5899adc328fb51c3c742ab3ded431d08ec1325098d447ab536f0221e2
SHA5127d35c9ff2f0e2fc9c1e8909e098462d9d23bef05edc3012746019f63a6da3a61db5add2d534780e14b463911ec723d61bac524fe901a25250fbc294c0f354ad2
-
Filesize
2KB
MD5b07634ebee925741ecc708b75a4fe757
SHA1b486bb70199bfac445a29895b7e7301a03fc174d
SHA2560466129495a99ff762ce0cfb517039c91c0a455e3a1240a02af0dbb065ea7759
SHA5126fddd679a5b4b588674892d25c052b7bcf79f10ab511441756f1d141e35d6e9e3365d5defc91dfb0f4fcdce7d9d7a1be3764ddc75c9d2c236abc91fa0b75ef51
-
Filesize
57B
MD5afc6668c86265923b89c489e896993fb
SHA16e806156a09ff9104cb81121ce9db4b606dd5ca3
SHA256daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c
SHA51271624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e
-
Filesize
485KB
MD5282805e5b4bdd8d7baeaa79d5134692c
SHA168a85702b669ba281ef1f21342b715f6ddf60463
SHA256ab7ee36b272b2bf6486081d64a5776e2fb2a0997b2f2d694053ad61e17e67ea0
SHA512345dbc54e692291938b995c652a305d821a104d5c5949ed29ff107b06a0191da25828418980bdf914b6dc8442f4041710edc61199418a7bf8c01b2ba194e0806
-
Filesize
672KB
MD5c6576ada75e8f6f42c63ff0e7400ccf1
SHA14819c1015a5f77122bc656f1163f7d2deced435a
SHA256e72ccecbcff75c06906dd0658162d0b75a88bfc8eeaef42ca4ee6a2200d8f2a6
SHA5120203b91185a7df4f2b3a6b3a900002babbe8aaacbacae8734dd540a6297b8c4a1f0d1642e723a6728293549684c18bdcbed013e4f1d6ede07750f99ff064be5c
-
Filesize
219KB
MD5765c39ba7093f60ec92611231451da5c
SHA1d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e
SHA2567462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9
SHA512ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4
-
Filesize
770KB
MD5079c4783b8bbd68008c5cabe79a99785
SHA1b9aa4377ecaff0493309a7d2199414c676a41d05
SHA256d9aaabd737915903e1677046d7efe935ef734c2dd200dd3b472ecae7dc6c33fb
SHA512660080af21233bd85410fc8002c5d3fc65111749ac824b2210e59e3ef13ab724e62e269323bcced0776b881ca9b1efd2d31fadb822c5149d403bf71558e1e7b2
-
Filesize
198KB
MD5044bdfed06765dcc3e48c4e0bd956814
SHA1e6db6c3475c2a6edf6889e5eed618f0e422aeb14
SHA256fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c
SHA512ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d
-
Filesize
220KB
MD5fc91f733fe8e145d596a5cecc362c3a2
SHA133782f889a5ecabfd8147d4fe1648add88c6a20d
SHA2565f2ef0b864cbc179c74706dd8ab05b66fcc472d7f1c117e7610070907e6aedab
SHA5123251a17c3923bdb83ca52d0119eaf67dcaf3b8c42f6287abe1171aab188afa5426c8e28d81d64efff388849e31bcdf9fa2e703346cf906dc478e235ced1183f1
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
403KB
MD58d6b3dc733bc202aa367e684f1dc21e8
SHA11c585947eaf4b195c70777ce67fd37398588298e
SHA256ae3474bc13b7c1ae9c82c19fc00c650811abbda71ab6b831d4a7883977f1746c
SHA512596bf72e5b4a40450c01bea43dabad619f7cf8205cfb6f2e3f2fee79b9941955e74bebed1ac58d868924d977e9a9babd234e06df8c2e4097a91dccbb95b7db25