ff542e81bd22a660ba49954ab40a20bec752beb4bc9f663f3852b013f38185bd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qqchess1.2.exe
Size

3.0MB
MD5

3b4326e221442f7db09ee6053c820982
SHA1

84b48dca1c2b02ec9ec9e801fa71f8492a707c6c
SHA256

a6f59a34a7ce92d62187c19c1f44143d4a5d7628b001c4c467d7186722064bdb
SHA512

d2eb5c1b27223365eba19644079e8963880b20b3a74bf6c9ec48371baba336d978e44c2c3525466e2e9a7bb081a66796cab335252ed14680c842d134da554069
SSDEEP

98304:vcVkSuqDqfuhUdO4wjYBLryyoMSiIbZn3TgFsrFql:U5uqDqmU44wmLaMSiURpql

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
5064	qqchess1.2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002335a-199.dat	upx
behavioral2/files/0x000900000002335b-205.dat	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	qqchess1.2.exe
File opened (read-only)	\??\B:	qqchess1.2.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\VB6STKIT.DLL	qqchess1.2.exe
File created	C:\Windows\SysWOW64\VB6STKIT.DLL	qqchess1.2.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_32.xml	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\freechess.dat	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\sogoutb_setup_pp365sosoft18_mini.exe	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\sogoutb_setup_pp365sosoft18_mini.exe	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\×ÔÓÉÆåÍõÊ¹ÓÃËµÃ÷.txt	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\BOOK.DAT	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\QQchess.ico	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\Hand.ico	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\QQchess.ico	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_16.xml	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_16.xml	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\BOOK.DAT	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\bind_8134.exe	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_32.xml	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_32.xml	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\Hand.ico	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\wpsdls.8824.37.exe	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\wpsdls.8824.37.exe	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_16.xml	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_32.xml	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\bind_8134.exe	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\×ÔÓÉÆåÍõÊ¹ÓÃËµÃ÷.txt	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_16.xml	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\ZYChess.exe	qqchess1.2.exe
File opened for modification	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\ZYChess.exe	qqchess1.2.exe
File created	C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\freechess.dat	qqchess1.2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	qqchess1.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	qqchess1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	qqchess1.2.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	qqchess1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	qqchess1.2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	qqchess1.2.exe

C:\Users\Admin\AppData\Local\Temp\qqchess1.2.exe
"C:\Users\Admin\AppData\Local\Temp\qqchess1.2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\BOOK.DAT

Filesize
1.6MB

MD5
6a403b6af3d08fd857881d2e43b9dbc4

SHA1
46f22430f443f149f7a370b337bac318ada871f8

SHA256
d97e0f9c7d4d0012b09db65212efc6fa544dc314125e28862e0a524bdfa60570

SHA512
4ee56bc0fe174599f8f3c8149fde0aa12d970dc2bc7638d3c3d59059d1b486d274c94e6e56047660357231c31f9b02c53e683413a528b89b7c7c4431f1191d73

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\Hand.ico

Filesize
326B

MD5
36af4bd3e963bb6d681c3e043c06f504

SHA1
7a1c7a8646f6e47f38dfdd3874ca90c05d52507c

SHA256
87bfef52971132ff30f7713898a8e729e6f54976eff957e47507f14469455976

SHA512
6a6a4780b82b5539c6abad1dbd94c562e0e67250639649acbb2079963af8e740a6fd02e5717b61d4b21c5c06d16055e2cb55c052281be4fb706ab625ca8d21c8

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\QQchess.ico

Filesize
26KB

MD5
bac8ea9db3e69a070afaee8c3c4be8bd

SHA1
4a33da64064df74b736e70681e1053db91582cd4

SHA256
76a72b4019ddbbd0b9de064628ca8192e31a25685a999f1411dc6042eeb9f29a

SHA512
35d0095f675e3324fcc782b3522176a55a8128b9215d63e08d8d68932d3870e4e05ba39a407f87f8de1861915a14654e02ff7916bc9d06a81bccc43fe3322b4a

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\ZYChess.exe

Filesize
216KB

MD5
77416a30cbda4842532c75ddb84f59fc

SHA1
5da17c1f1b3fd90aacd8a5e2459fda00a51ec069

SHA256
a510a196faa402f24de4562228736368c87c917653492f1d5ced6d77a29f7f9b

SHA512
3aeec08c7dd044d2c972ada2cb393779bc7d5ed963ab849f5279b45defcbbe79b2900e31b039f0ee012feab7d8dc03b9b05c1b168d813c44a2e103f06e469b0e

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\bind_8134.exe

Filesize
48KB

MD5
1d10d5969a37ecc2dfa60ada66a13513

SHA1
d7282609636b0835fd8a8981586ea59fb9fbf9df

SHA256
748190035eec74d824400dc4ee0a1e0317349036a5a71aa5323a965fae0bd716

SHA512
aedda18d58f3b00679770cb0ff3033c20092a50fd0bed05c55988d6b075269d6a94fb7bbb0816d22855296ba1e8d0ddfc485c23c73a81f75c4e305e519bfe4b1

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\freechess.dat

Filesize
80KB

MD5
0845b969fa366b3c5993c7af3161f02f

SHA1
1a2012c38f132fe6cd4e5565637ee3ad7f2a5fd5

SHA256
75e7a88a0df19fccbbe04b94a8811b9d7af0d4ef9f2666cf34d09c56ce137e82

SHA512
482242175f3d7c4950ed1c1bb7f568d60a264d548b5da74f5f30e5539582a3573ebb265d6665b47fc0ff54d875cd6e7071ada9680fd85614a3c5cf83348d18fc

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\sogoutb_setup_pp365sosoft18_mini.exe

Filesize
281KB

MD5
194d0098b1b7c123ad782613d2af359a

SHA1
c99c812abfc2f08e8017d77b8f761262173f1b9f

SHA256
05cb280095b94315a446f74cccd8af3b2ce53b674d6d9025806fe660a1cc0f4d

SHA512
25432e7f63f6a1f3d3d3329e914b50299de047c45cdf25a60da7eb8ac49b38cde6c69aaf98aa52975b8467efcab1841bcef61997bfc5ea84e25a16c964217ba1

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\wpsdls.8824.37.exe

Filesize
232KB

MD5
99e6662b4f2abfa53937cd54207b8e06

SHA1
67d0087a36afda2cc282ce053037b137b48f317e

SHA256
04115b0c94d043af4d3d00980569aea2c43cd3f3e68ff29663a1d87fc3d7411d

SHA512
84df1dcb356c5ab1ea2a068863bd1a680cc1f3c56604a8ddb3f0c364d7750368c83ef91f9a08a277a477b7aabd286aaecf852b627bc5cc8e9d60d609eaa9fdc3

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_16.xml

Filesize
43KB

MD5
dce6a05e7534cfae6779277513d29bd8

SHA1
4a87b9dcc899427972f7f30802689511221cc108

SHA256
3f37984926507fdf3ba4c95710cbe0622cf690e0108f248df0872ad6b2b78a9c

SHA512
f13922a4f358e568594f9749a131e92e0fb20edfc46ed3401dd2e4194d3ca9e217398d8a2e4dee398eb3d57b400266acf89533076ae3d82aba13bd6a6f4cdd47

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_1024_768_32.xml

Filesize
43KB

MD5
477f9edd641d8c8c103018ad7209ae92

SHA1
837b423850abd3a179862df8b10115f5a88501fa

SHA256
9b02e0afa770b4127ebeeb3055a044b835dbc724b48f75f355b5648bec762698

SHA512
ca847e13b50e575c41e33f152ca479a06d117bd7b2e7dbad9b0cfe1df2fbfb4069c805618bc8b187b7f85f4d4ffa1966f0beaf85e89eb0b2f03474f599858177

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_16.xml

Filesize
47KB

MD5
358465842a38d9e3bf6436b2275f07d6

SHA1
feeae73caedf5ff16a48db5dc56cf778156abc60

SHA256
56dc4a8564c55234bdf2e9ef451c7e7e3d481821c51512a870de2c56342f514b

SHA512
243c65de4518476989d07a16af7abf3407eb345289ee5aac96ee06e8a51eb71f9bf7318a6ba5ab69e9f7db58b2533ac28a3450b7c8735b5cc0af22708b8e12f0

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\zy_800_600_32.xml

Filesize
47KB

MD5
95f35fff0be7053f586ceb98184f5ba5

SHA1
1267a9fd9a5dd1b8b532eb10ebdfcb829b00d8d7

SHA256
f33ae2617b41de6246b771a403e0bc70f8c65f3bc11ccbd52e5cb41ca1d054a0

SHA512
a080c2c8521a7080d8685acf990ede841327fec393b0d0ff8a2977ff4d6847ca0e07e224835853a31130ba9209c62660a7a5cd592c53a7892efff4cdcad139a8

Download Submit
C:\Program Files (x86)\×ÔÓÉ¿Õ¼ä¹¤×÷ÊÒ\×ÔÓÉÆåÍõÖÐÓÎÏóÆåÖúÊÖ\×ÔÓÉÆåÍõÊ¹ÓÃËµÃ÷.txt

Filesize
1006B

MD5
525d63c7bb1847e1b532a9f10f1810c0

SHA1
1cb8208a8026c6fd3b63cfa251a112d517524549

SHA256
da170ecb3e10193faf9eaa42983700ba578f907621592079e3fc6630c1756765

SHA512
4633d4bea36cab8d01dd7d14ef296354b618895fc390dc418ad976c42ca5d12c5e8db84d32517cbdec4f487162c4a38cf0cc3a3e0b182b51c52a7819972d64a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\English.vlg

Filesize
10KB

MD5
0e36eb1ce14a3391a8073c6b22766908

SHA1
74b4f58d5a0b97b5226e41186bf00cb1493b991a

SHA256
9d4b233201a2d0e22e3762e8a269ff8742c2097d6cfcf707e01fc7f0bbbcb951

SHA512
2b708e24a5a0bc99d282c3465796e121421eb43c18295496291c3e21747fbd3de98250d0dc41d45950eeb7684dea6381ff37e8e2ab90228e7f27f87e86c9fe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\default.bmp

Filesize
18KB

MD5
f372b11ff99bffed4cd279c0155adede

SHA1
89cbf60925076e9a14fd48b13790422b43a5b989

SHA256
d9d5e28eb445e7986bdef4d409868af205d525f2f0729427dfe3e33a7251b15d

SHA512
e902f0d7ff0e2af64ce3e8ae6d704ec21b04b35ac3f25a9acd53938b3b66fbaa02b25e816202f165e2d7339b62d2cd6fe9f764d64eefd5b24d1a108cb4b2679f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\vise32ex.dll

Filesize
500KB

MD5
2c93e8c9854cf42d621b2eb05c420cb4

SHA1
515e440f64a141d6f82bb8a81a2f82a826f0ffc2

SHA256
27170b52d5d6887824aef79ca546c9eca7755cf2eb632b1129302028c99aa7aa

SHA512
420e45169a352d0575a9d1b1ab341b51ecf2be537ccf404d6ca02f24e0084591c5b200ed70842eec9eff7188c8d893c9303d283e8d4c131d96d05f3dab8df40a

Download Submit
C:\Windows\SysWOW64\VB6STKIT.DLL

Filesize
100KB

MD5
737be44c23baf9c094c46ff7d4e848c7

SHA1
08826635b8efc67725737738a477fc9aa2f594d0

SHA256
6fc6ce013a693fa291a07004adb3971774f420235e78f174d59de8e881f23530

SHA512
f147c3f6bc874eaf714d817a09556929129cbbc4c5ab0e89796aba07d876b90f01145d759e4a68d79429a673d0bb9297dba4382500515349da76d5e464f5c439

Download Submit