3e7c8926e442f4b39c75df7319a2885c1495bef85cca82e7d1572dbcec1a00f4

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QQPCDownload310060.exe
Size

1.9MB
MD5

4b82a52bbcac9ac5012b81df7be7f78e
SHA1

14077ae69cdcd9a175bcd957aaaa608f0d647244
SHA256

3e7c8926e442f4b39c75df7319a2885c1495bef85cca82e7d1572dbcec1a00f4
SHA512

254e694837f3240a6474c9b7cc80ae5627a880ec920a0212af5a7e32384bad03502048593d3391c906d26383bc2a1380046d496589736dce32c52b7dcd781e5f
SSDEEP

24576:evpH41Cl36RgrO/+NiLrJ9M9xwvV2ExxF54TOh/JAu52v54QY0GFyY6sJLfQOmf9:MmCiLnwUDN88/euMvUnkY6sRfVmdQE

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	QQPCDownload310060.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
280	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe
2732	QQPCDownload310060.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2732	QQPCDownload310060.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 280	2732	QQPCDownload310060.exe	28
PID 2732 wrote to memory of 280	2732	QQPCDownload310060.exe	28
PID 2732 wrote to memory of 280	2732	QQPCDownload310060.exe	28
PID 2732 wrote to memory of 280	2732	QQPCDownload310060.exe	28

C:\Users\Admin\AppData\Local\Temp\QQPCDownload310060.exe
"C:\Users\Admin\AppData\Local\Temp\QQPCDownload310060.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Tencent\DeskUpdate\Guid.db

Filesize
1KB

MD5
7d5978331bccf2bdde17c1eb7ecdd186

SHA1
c0711458848ce1930f5c175d693bcd90a6d50ec9

SHA256
6fa1f5ea517052abc086b5865363f782c973e5d937f8449c08396490e0e8f0ba

SHA512
78011ed24006faa490f4f4f9aa88ea201491a121393940c5cb10e257bfdeb6fea02764948cd0187e1e072c589c68bd9d921869cda8dfde61a820adab6f0e8622

Download Submit
C:\ProgramData\Tencent\DeskUpdate\GuidInfo.db

Filesize
240B

MD5
ee27a888bdb6dae88564c02709bab295

SHA1
60dfdc495735a4be11c835ba15b3024ad9eb1d53

SHA256
4df219abb41174f8245ec94d1a3894ba422a98799ae3b1d1a2879a63a1610e85

SHA512
3039057d00dbd7c3840185b37edacea8ba54939f913efe7064861ffb103ea12f2ce501218711ad7a88b9e86847c4143f03a08aac810183635f920b54e0b40cb4

Download Submit
C:\ProgramData\Tencent\DeskUpdate\GuidList.db

Filesize
221B

MD5
1b8b8d85aa0186040528d9d416608607

SHA1
0d686f2142d4bddcd368b926a0576757d81dbb86

SHA256
a2d99ea05227f6ad274a4086fd4f25aa9fc0ecba91db6ad3290de07a0c517163

SHA512
6ff7708ba169bdbd609b8e81e0a782514717804251d677a26d1908e381b8c259e668377a3cb6e734b396bc12640e99a0154283f15145e0ed9e3265056ec8cd69

Download Submit
C:\ProgramData\Tencent\DeskUpdate\GuidReport.dat

Filesize
400B

MD5
94b089a745e4fe0419d98e5b2eeea1c3

SHA1
ef8174bf672725be9e96f4566e1d5f58d8bde369

SHA256
e5886ead07e630032bf2eef989c40a5ee2a0b697731993349d66f3b67d9bda36

SHA512
9044e386f3e46f488e777a39f320bdc20dd5d188bb79dc6819bf6664534135c56d090a5e0d2690cb9b2afc9e638643d6a2e0fb2ae915321b94c632cb17275d9b

Download Submit
\Users\Admin\AppData\Local\Temp\TencentDownload\~f767188\QQPCDownload.dll

Filesize
1.7MB

MD5
f303c7c2408824e57a77b41418e35b5b

SHA1
aabc7c4b203fb94124ecd9b7e8ba81d4da722e1b

SHA256
74003c486081965e76fd00ca6b9265b04b8fe65f826e2b72e6717503f487aa81

SHA512
6e4ebee21d7944700385f075afd2b76dbdf590b00faf9c0041aff0b1c9c0b8663e5c79c44658a23aefa13ad234077b9e39f50e9f261a901a816cc668c363b28c

Download Submit
\Users\Admin\AppData\Local\Temp\TencentDownload\~f767188\beacon_sdk.dll

Filesize
1.3MB

MD5
67303cedd0654a075c13ef8b5135e28d

SHA1
d8fb6924b9d2a4d0a8075a8a3b63acd5346521fd

SHA256
1d5b0382c797b662ab49a2c88b9184bc45d8c18cc1c0a68377f1cb5989efe277

SHA512
b644b810c35e1e01be423418707758c9c851b04d7e3408f44482d67dfc2d36ef26802dbdd07d990c40ac705b2aa516ac1c792ab0e5ae6d54713b51874a0dffad

Download Submit
memory/2732-6-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download