d8ea2b5432775ec307541d6ff8a7b397a622f60ffd66c743e457bb46cc157fef

Analysis

max time kernel
149s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQ2007Beta2_skycn.exe
Size

19.4MB
MD5

abd76dedc1bd418a380479aff476f1f5
SHA1

0d701b754fcc36e28016a914dfb40bc97c7d86a2
SHA256

b90cc7c176f3c82c4f5aa9afdec1964524e7c25c2d2a8e89ba69a78f4a6b420d
SHA512

c429c8ee49c3ba29f3bd66acda3817e98825dfdc5ff559abbb04ede3b1839ef20da305c4befd70dd2de1a2b914a3dbd8e81bbd3420123f1bf2a68fb9ef11b9b0
SSDEEP

393216:QRAYI62+v/9kU3NN6PRlnMXmVCkc5Ps6DGoLuG47jgyppWIoSqG1u:KAYd2CKU3iPRlnekWPs6DzjhKpFqsu

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023257-18.dat	acprotect

Loads dropped DLL 9 IoCs

pid	Process
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023257-18.dat	upx
behavioral2/memory/1128-21-0x0000000005130000-0x0000000005143000-memory.dmp	upx
behavioral2/memory/1128-150-0x0000000005130000-0x0000000005143000-memory.dmp	upx

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfc	QQ2007Beta2_skycn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cfc\ = "CFC.Package"	QQ2007Beta2_skycn.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe
1128	QQ2007Beta2_skycn.exe

C:\Users\Admin\AppData\Local\Temp\QQ2007Beta2_skycn.exe
"C:\Users\Admin\AppData\Local\Temp\QQ2007Beta2_skycn.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\InstallOptions.dll

Filesize
13KB

MD5
b4ae88873b8f735cce21f4f280b40e75

SHA1
32b2f6929645821adb3f63952de63805838f6172

SHA256
e8c6b3e917d708756e67fd709e5b78f333490be49532d85b1fa02cc844c7913f

SHA512
a109f3ba291e1d34b6c07d1e270c2d7f7c78a5e1e0fb1bb494779564f1608fe53d919d68a72a2b9aaaf0e23744fe16082a4e4833adf5a8edb499481ca5970ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\ProcDll.dll

Filesize
19KB

MD5
62d2f0a425fab6799db0b7b4eb939696

SHA1
0a4487159fcec57d63d172559c51e75a184ae559

SHA256
7adc45f2e2b5f5fdeaa7ff5a83bac63fef729979702f4997ecb0a8b6a1a0f785

SHA512
cbebe63ab2797bb7f8d1d3fa96b8e6839148e20c56b326682d8aff55ef28b16b75c9bfab6b0011847945f0842a30d5bd8faa038b8fe38b356941863d62b7992f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\QQDoctorHelper.dll

Filesize
60KB

MD5
aaeb7abea1353d6657e088ffb743b3c0

SHA1
5b46ceb23870f82bafa0088cd3dcc093ba9c9a7c

SHA256
899a82bcbdffe8a02639acca3f4b2c91e40399cdf684039130e616e51d93a18b

SHA512
6d59306712ddb9472f5930c66075452f5fe03c05cd023c94fee089578097035d3c6afc58068b7a865bce57ce300d3ba83827f921916e048adec0152d623f739d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\SysHelper.dll

Filesize
92KB

MD5
cc7afe4903cd35bf2b103450f890b055

SHA1
245d0062e0c16e1dd2582d2a7645a315b071f496

SHA256
d652adde403170fd58b08961a5c16659de9a78b36665aa3bfe76bc06b3814352

SHA512
d5e9ee348a057f66aae9577a8a15960a09c09f04239f9b9eb2134f4760cba528ba61b93a7c0a19064bfbf05678b506d352ffa9ab7e4d699f1c9ad54f0af7dad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\SysVer.dll

Filesize
44KB

MD5
8d3e6a5c864c293f78721ab5168cc3b3

SHA1
a198b2857b38d931bfa11def2340181450b94aaa

SHA256
e17cbc42ef349ea63bb580fd5dac326f49969bb0d757334e0429362e8e5d6fbd

SHA512
a61aceeea173a577d4b30f089f7cfab4841036a06a0b1530041400e9378afb4c825f1a1370d263a382fc6655ed4ead062b68121131cfbc529c656969acfe96c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\ioSpecialW.ini

Filesize
749B

MD5
52473839fc0d048ce2f7ba87d61eff83

SHA1
43798ff410ff282aa8214544221bab20174c4bd9

SHA256
a6b2804816453ac4d90b812cf7897ba5cd7528f4d2692fb8ebf6890f4195adf8

SHA512
cc0dae5026a9afaf804dc86b5cd9be5e00223dd131b5ba723af2219d518df817d23c07be59212063225a345185d03fcf7a786d06f3ebad63ba96674c1f4326f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc177D.tmp\ioenvset.ini

Filesize
120B

MD5
7de919503a68c4d7c4216803263bb649

SHA1
f865c495458de9fda154ff77ab12d6ab0f5d9c03

SHA256
2c362f22ad231eb0dcaaeb9213d305b88b5703419d327d2260fc96b4526024db

SHA512
250365da1126c4c9f32a23e0a5af4cdfb5247dbfc0ebe983287e63cf7e96322fed0413886240ea3ec475993b47af40934688ff418a771c70a1c04036188acfdc

Download Submit
memory/1128-11-0x00000000050F0000-0x0000000005108000-memory.dmp

Filesize
96KB

Download
memory/1128-21-0x0000000005130000-0x0000000005143000-memory.dmp

Filesize
76KB

Download
memory/1128-27-0x00000000022D0000-0x00000000022E0000-memory.dmp

Filesize
64KB

Download
memory/1128-150-0x0000000005130000-0x0000000005143000-memory.dmp

Filesize
76KB

Download