Analysis

  • max time kernel
    147s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 11:31

General

  • Target

    88adccaaa565b5f653bc4dbae68a743f.exe

  • Size

    4.8MB

  • MD5

    88adccaaa565b5f653bc4dbae68a743f

  • SHA1

    752fe547973d6caa362e6ecffd0ebafa94d58788

  • SHA256

    bfa718d6906897aa810b7a7aeff88c6f4188af7be215acebbec5fbdd875575e2

  • SHA512

    2b66253e4296aa837a8509a7310c26c5ab2c6860d37c94e0fa56c4db5ec72158368c96a63aea2cf9a261df65b24cfa5642504934bed6939d0e6e0d362fe86cb3

  • SSDEEP

    98304:71vqjSOikxqQEHx5YAHpPybO0yh8g/oMx6dwFSfwCEQ:7VqDqQEHTL0u8eo0UwC3

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe
    "C:\Users\Admin\AppData\Local\Temp\88adccaaa565b5f653bc4dbae68a743f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
      C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4788
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /e,C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
    1⤵
      PID:5020
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe
        "C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:3204

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\MSVCR100.dll

            Filesize

            755KB

            MD5

            bf38660a9125935658cfa3e53fdc7d65

            SHA1

            0b51fb415ec89848f339f8989d323bea722bfd70

            SHA256

            60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

            SHA512

            25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.exe

            Filesize

            198KB

            MD5

            044bdfed06765dcc3e48c4e0bd956814

            SHA1

            e6db6c3475c2a6edf6889e5eed618f0e422aeb14

            SHA256

            fa5175e4de390a8d7fbe9cf9668552ed941e034552ecf4614918e02776ef543c

            SHA512

            ba40cd87494f73fa50bb6b6d9e0f7155e2269761a1921dd365c45cd34dfff2461b222be34138bf7e37bca69f2d7d85d53acb96ce184740fca99a6b752e1f221d

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\QQNetBar.ini

            Filesize

            33B

            MD5

            3bf136f7f83643b7f5eba261bb4c2ffa

            SHA1

            32d155fe5d99056407bb9073e4eb782c9f3b884d

            SHA256

            3d3c9c28ce7db48aa5d1833de2bfa0b8727279a3643b32ec9096e164d556b815

            SHA512

            1f1629a3f67f3f7773af28dbc89b4dacd5b73385f5af1aaa37b6de7fc2a389664c62ca7f36a782103a7613903c4453390fd95ac258e1165d993da972a108253f

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

            Filesize

            657KB

            MD5

            13dc935c33f2ebdad54db30e360f1dea

            SHA1

            1a98b92a76ac7dc4ef700bf49ec50c61d68ac463

            SHA256

            ae5776a6360d506542388147d8a66cc0e3b6c477ecd41ab745912b4c97be2ccd

            SHA512

            09fea3714a241484c3600eac77e2e554d3e353cb1c25d23eaa0ab350496297c74ca7d395fd315eb3b983870e7912b162581cdec5464e5dc3ae7c741c8db3b4e9

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\common.dll

            Filesize

            519KB

            MD5

            3009f42f8ad97987660c789ee2efbb26

            SHA1

            67efb360c73273545c16e6e412d2308b107a57f5

            SHA256

            3803b31255ec6b2f745d232dace93c7affdb0d1491fa6917886ad7dd2f29fe1d

            SHA512

            d0b1bd5514fbf2dcfc674d1b1f9581109c50d59e9dd20278239e3d7a8eab8e9f9e7adb9cc9de5458d6bf9cf6a2a44d6163ad1f2ef735146f70362f2ee1963d32

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\log\QQNetBar.log

            Filesize

            2KB

            MD5

            9429ffbca2ddab43f28256484c9aae08

            SHA1

            510bb0e6ee5cdc5a1b5c0915f52cce262395db97

            SHA256

            d2de38c210d4b69dd8232374672fb4463e6ce488820e9fe246036af78b9f05cb

            SHA512

            79614d487ec176d8262bb6b5832f5216f81a4b999ff1904f64154a39b9adffd58c8b0de0f82cce33082f1e59a6d02bc2b56c7bd35729aa2ee9ab42090ddbfc79

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcp100.dll

            Filesize

            411KB

            MD5

            e3c817f7fe44cc870ecdbcbc3ea36132

            SHA1

            2ada702a0c143a7ae39b7de16a4b5cc994d2548b

            SHA256

            d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

            SHA512

            4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll

            Filesize

            442KB

            MD5

            e7253e344ad8e41b0b1f1daa590ccdc2

            SHA1

            5bdc3b37e19059ec3102f24ed0221346cfe901bf

            SHA256

            206c018417188f27ab8711884a7e90f2962dc75dcae0986e3a7d051b51b4d425

            SHA512

            6ffda0e972e2d8fab89299394a785a8d3352a6cb35e7558404223d3b4ff4e3d1f5713af616239de29e4c89d2ae891a8d279289525aa0facb17ac3a828fb3df3c

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\msvcr100.dll

            Filesize

            621KB

            MD5

            1f0a03cefa0160b3921a39a061e081d9

            SHA1

            cbc9648e8240c298252085a89d6f131c50499abc

            SHA256

            1a8cb2642185eae9e714c9228968e6a3398cc2f4f77b343cac2a8de0cce9c30b

            SHA512

            cc3f283485acb7e364ee36aeb9a6f6f5e672f032e1015d015e102c58e5bb70570d0b68a5a3f3885b34b8bbc6597ea73195cb352c74ccb220fe5dc356d9dc6fee

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

            Filesize

            431KB

            MD5

            e79eda3505dd686caa34f2d04e6e887a

            SHA1

            d5ba460a65fa92c7a42e257b53c6ba1dbe69a55f

            SHA256

            cd55b27aa688b31139a5aea7468653ecbac411a73d98ef0e1c5d67777addc608

            SHA512

            4c73187d331bb5a503e83ac80da9fd9a7613769c0c5cbc7f36aaebd7efeee5a95d67049c0948b50e4b4211834e7bfd2436223109529791095bf835a98dac0797

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

            Filesize

            959KB

            MD5

            4a114d607b2c4f8fef3a773048fd0af4

            SHA1

            6be18de9040d924ecaa55052d6d6a045b03ce583

            SHA256

            4c8d020d9b68d1cd1dc822b4e91dc36ba0491ecfbc93de9cc42fb540fa88f6a4

            SHA512

            28166a34897e93408bf8be1ba75152f641f32332f8037fea282d0b22a0a9936662b72075bb01d1989dfc864c1dbffde3b68477f2adefad1409fc381856c38f64

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\qqwb_protect.exe

            Filesize

            591KB

            MD5

            2c478d1e0a928dcd9dee488b9b073260

            SHA1

            d64f514ac454741ec02092af332b5bb8a5983a07

            SHA256

            9b7190617da5d0b37bd803104eb2f7d2718ee926c256a8895d29ecb6e4ff8482

            SHA512

            e01b1b6fc655bac7d7d156dba6147b7ece2084626fa972454308b6615e9b8b8ad7b7788b844ccc21613815f39cff1fcdfe8bd0cc41c2d23a71a60ef20cb6d2d8

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\ui.dat

            Filesize

            219KB

            MD5

            765c39ba7093f60ec92611231451da5c

            SHA1

            d54eeb7d9b3d5ecc41f5ab7fe8d5ad1dab85bc2e

            SHA256

            7462f7a447795628daa07fcf207992c8bbeddfe9d85016424194b2964f3fa0f9

            SHA512

            ce27812adf1670b168f79a600e3582dcf30148a6e2878d81c41ee114606b2dd06bbf8c7b8eee749f297d43c7d586e200b2b35defeb0712200585e4d1d7f461c4

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll

            Filesize

            210KB

            MD5

            15714a17b896262e732a872c896f50c4

            SHA1

            3eafd92988d64f04df7e4e209b90d7b06733e3d5

            SHA256

            e4405d0dac6b1e5a2f7fa23c4702f6656d389be667e264ec16f2fb05622e7a5a

            SHA512

            b8191e23d5dfec744f9634117dd65e4d18157d8e466b9771bbc71c3e4f6c143081ee3abc718fddaccd5aa0054883b8eaff5a560141867104edc6a412982d393c

          • C:\Users\Admin\AppData\Local\Temp\ImageCtrl\wxmsw28u_gcc_cb.dll

            Filesize

            392KB

            MD5

            5f5b1fa457fce8d2064128a2ae557a89

            SHA1

            4bf02c5bb870cc79cfdc73668b0346415725243d

            SHA256

            cd2ff17694c0735119324e83efd923f54ca62d9059e1da22e5b2b34c637092d0

            SHA512

            6e1fa803a64bdcc9df285816891e00f78db45bfcc1da6bb500be3e3a92bf23cb4e9b52926261cb7a9e1115e9c11468f378b37b30dc27285003397350fc3342d1

          • C:\Users\Admin\AppData\Local\Temp\autB643.tmp

            Filesize

            57B

            MD5

            afc6668c86265923b89c489e896993fb

            SHA1

            6e806156a09ff9104cb81121ce9db4b606dd5ca3

            SHA256

            daabb89d386c0616759e23394d0059799c6f28b84052d945b6bc8d753691518c

            SHA512

            71624fd81dc966e41d79d64d438b0d82d1c14b2b911dd1c4e5759badafc646d610478113dd70c93b44f6d2051be1bae91d60f564f4d506a37a4188c94fdecb8e

          • memory/3204-77-0x0000000000D60000-0x0000000000D61000-memory.dmp

            Filesize

            4KB

          • memory/3204-75-0x0000000000400000-0x00000000007CB000-memory.dmp

            Filesize

            3.8MB

          • memory/3204-86-0x0000000000400000-0x00000000007CB000-memory.dmp

            Filesize

            3.8MB

          • memory/3204-87-0x0000000000400000-0x00000000007CB000-memory.dmp

            Filesize

            3.8MB

          • memory/4788-59-0x0000000075460000-0x00000000755F3000-memory.dmp

            Filesize

            1.6MB

          • memory/4788-61-0x0000000010000000-0x000000001003C000-memory.dmp

            Filesize

            240KB

          • memory/4788-82-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/4788-83-0x0000000075460000-0x00000000755F3000-memory.dmp

            Filesize

            1.6MB