Analysis
-
max time kernel
147s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2023, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
88adccaaa565b5f653bc4dbae68a743f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
88adccaaa565b5f653bc4dbae68a743f.exe
Resource
win10v2004-20231215-en
General
-
Target
88adccaaa565b5f653bc4dbae68a743f.exe
-
Size
4.8MB
-
MD5
88adccaaa565b5f653bc4dbae68a743f
-
SHA1
752fe547973d6caa362e6ecffd0ebafa94d58788
-
SHA256
bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2
-
SHA512
2b66253e4296aa837a8509a7310c26c5ab2c6860d37c94e0fa56c4db5ec72158368c96a63aea2cf9a261df65b24cfa5642504934bed6939d0e6e0d362fe86cb3
-
SSDEEP
98304:71vqjSOikxqQEHx5YAHpPybO0yh8g/oMx6dwFSfwCEQ:7VqDqQEHTL0u8eo0UwC3
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000023210-58.dat acprotect behavioral2/files/0x0006000000023210-57.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 4788 QQNetBar.exe 3204 qqwb_protect.exe -
Loads dropped DLL 5 IoCs
pid Process 4788 QQNetBar.exe 3204 qqwb_protect.exe 3204 qqwb_protect.exe 3204 qqwb_protect.exe 3204 qqwb_protect.exe -
resource yara_rule behavioral2/files/0x0006000000023210-58.dat upx behavioral2/memory/4788-59-0x0000000075460000-0x00000000755F3000-memory.dmp upx behavioral2/files/0x0006000000023210-57.dat upx behavioral2/memory/4788-83-0x0000000075460000-0x00000000755F3000-memory.dmp upx -
resource yara_rule behavioral2/files/0x000c000000023205-38.dat vmprotect behavioral2/files/0x000c000000023205-66.dat vmprotect behavioral2/files/0x000c000000023205-67.dat vmprotect behavioral2/memory/3204-75-0x0000000000400000-0x00000000007CB000-memory.dmp vmprotect behavioral2/memory/3204-86-0x0000000000400000-0x00000000007CB000-memory.dmp vmprotect behavioral2/memory/3204-87-0x0000000000400000-0x00000000007CB000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQNetBar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ImageCtrl\\QQNetBar.exe -auto_start -hide" qqwb_protect.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qqwb_protect.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz qqwb_protect.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3204 qqwb_protect.exe 3204 qqwb_protect.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe 4788 QQNetBar.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3204 qqwb_protect.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2908 wrote to memory of 4788 2908 88adccaaa565b5f653bc4dbae68a743f.exe 92 PID 2908 wrote to memory of 4788 2908 88adccaaa565b5f653bc4dbae68a743f.exe 92 PID 2908 wrote to memory of 4788 2908 88adccaaa565b5f653bc4dbae68a743f.exe 92 PID 4788 wrote to memory of 5020 4788 QQNetBar.exe 90 PID 4788 wrote to memory of 5020 4788 QQNetBar.exe 90 PID 640 wrote to memory of 3204 640 explorer.exe 93 PID 640 wrote to memory of 3204 640 explorer.exe 93 PID 640 wrote to memory of 3204 640 explorer.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exeC:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4788
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe1⤵PID:5020
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
198KB
MD5044bdfed06765dcc3e48c4e0bd956814
SHA1e6db6c3475c2a6edf6889e5eed618f0e422aeb14
SHA256fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c
SHA512ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d
-
Filesize
33B
MD53bf136f7f83643b7f5eba261bb4c2ffa
SHA132d155fe5d99056407bb9073e4eb782c9f3b884d
SHA2563d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815
SHA5121f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f
-
Filesize
657KB
MD513dc935c33f2ebdad54db30e360f1dea
SHA11a98b92a76ac7dc4ef700bf49ec50c61d68ac463
SHA256ae5776a6360d506542388147d8a66cc0e3b6c477ecd41ab745912b4c97be2ccd
SHA51209fea3714a241484c3600eac77e2e554d3e353cb1c25d23eaa0ab350496297c74ca7d395fd315eb3b983870e7912b162581cdec5464e5dc3ae7c741c8db3b4e9
-
Filesize
519KB
MD53009f42f8ad97987660c789ee2efbb26
SHA167efb360c73273545c16e6e412d2308b107a57f5
SHA2563803b31255ec6b2f745d232dace93c7affdb0d1491fa6917886ad7dd2f29fe1d
SHA512d0b1bd5514fbf2dcfc674d1b1f9581109c50d59e9dd20278239e3d7a8eab8e9f9e7adb9cc9de5458d6bf9cf6a2a44d6163ad1f2ef735146f70362f2ee1963d32
-
Filesize
2KB
MD59429ffbca2ddab43f28256484c9aae08
SHA1510bb0e6ee5cdc5a1b5c0915f52cce262395db97
SHA256d2de38c210d4b69dd8232374672fb4463e6ce488820e9fe246036af78b9f05cb
SHA51279614d487ec176d8262bb6b5832f5216f81a4b999ff1904f64154a39b9adffd58c8b0de0f82cce33082f1e59a6d02bc2b56c7bd35729aa2ee9ab42090ddbfc79
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
442KB
MD5e7253e344ad8e41b0b1f1daa590ccdc2
SHA15bdc3b37e19059ec3102f24ed0221346cfe901bf
SHA256206c018417188f27ab8711884a7e90f2962dc75dcae0986e3a7d051b51b4d425
SHA5126ffda0e972e2d8fab89299394a785a8d3352a6cb35e7558404223d3b4ff4e3d1f5713af616239de29e4c89d2ae891a8d279289525aa0facb17ac3a828fb3df3c
-
Filesize
621KB
MD51f0a03cefa0160b3921a39a061e081d9
SHA1cbc9648e8240c298252085a89d6f131c50499abc
SHA2561a8cb2642185eae9e714c9228968e6a3398cc2f4f77b343cac2a8de0cce9c30b
SHA512cc3f283485acb7e364ee36aeb9a6f6f5e672f032e1015d015e102c58e5bb70570d0b68a5a3f3885b34b8bbc6597ea73195cb352c74ccb220fe5dc356d9dc6fee
-
Filesize
431KB
MD5e79eda3505dd686caa34f2d04e6e887a
SHA1d5ba460a65fa92c7a42e257b53c6ba1dbe69a55f
SHA256cd55b27aa688b31139a5aea7468653ecbac411a73d98ef0e1c5d67777addc608
SHA5124c73187d331bb5a503e83ac80da9fd9a7613769c0c5cbc7f36aaebd7efeee5a95d67049c0948b50e4b4211834e7bfd2436223109529791095bf835a98dac0797
-
Filesize
959KB
MD54a114d607b2c4f8fef3a773048fd0af4
SHA16be18de9040d924ecaa55052d6d6a045b03ce583
SHA2564c8d020d9b68d1cd1dc822b4e91dc36ba0491ecfbc93de9cc42fb540fa88f6a4
SHA51228166a34897e93408bf8be1ba75152f641f32332f8037fea282d0b22a0a9936662b72075bb01d1989dfc864c1dbffde3b68477f2adefad1409fc381856c38f64
-
Filesize
591KB
MD52c478d1e0a928dcd9dee488b9b073260
SHA1d64f514ac454741ec02092af332b5bb8a5983a07
SHA2569b7190617da5d0b37bd803104eb2f7d2718ee926c256a8895d29ecb6e4ff8482
SHA512e01b1b6fc655bac7d7d156dba6147b7ece2084626fa972454308b6615e9b8b8ad7b7788b844ccc21613815f39cff1fcdfe8bd0cc41c2d23a71a60ef20cb6d2d8
-
Filesize
219KB
MD5765c39ba7093f60ec92611231451da5c
SHA1d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e
SHA2567462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9
SHA512ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4
-
Filesize
210KB
MD515714a17b896262e732a872c896f50c4
SHA13eafd92988d64f04df7e4e209b90d7b06733e3d5
SHA256e4405d0dac6b1e5a2f7fa23c4702f6656d389be667e264ec16f2fb05622e7a5a
SHA512b8191e23d5dfec744f9634117dd65e4d18157d8e466b9771bbc71c3e4f6c143081ee3abc718fddaccd5aa0054883b8eaff5a560141867104edc6a412982d393c
-
Filesize
392KB
MD55f5b1fa457fce8d2064128a2ae557a89
SHA14bf02c5bb870cc79cfdc73668b0346415725243d
SHA256cd2ff17694c0735119324e83efd923f54ca62d9059e1da22e5b2b34c637092d0
SHA5126e1fa803a64bdcc9df285816891e00f78db45bfcc1da6bb500be3e3a92bf23cb4e9b52926261cb7a9e1115e9c11468f378b37b30dc27285003397350fc3342d1
-
Filesize
57B
MD5afc6668c86265923b89c489e896993fb
SHA16e806156a09ff9104cb81121ce9db4b606dd5ca3
SHA256daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c
SHA51271624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e