9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0

Analysis

max time kernel
141s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe
Size

197KB
MD5

6339e1ace1e2e7aff1a82ab165709e64
SHA1

bca37a1271b63280ea4b844ae353d656c364f5e8
SHA256

9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0
SHA512

78251ffef277016cd2994ccaccd53084b48a14d24091b293677f6348ec3e3d74c336d7283c75345a59dd3d7de184fa2039c0f06358c49214ed3bbbf7d211cbd3
SSDEEP

6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOu:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXXj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1728	qqwhost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\qqwhost.exe	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe
File opened for modification	C:\Windows\Debug\qqwhost.exe	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qqwhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qqwhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2372	2256	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe	29
PID 2256 wrote to memory of 2372	2256	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe	29
PID 2256 wrote to memory of 2372	2256	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe	29
PID 2256 wrote to memory of 2372	2256	9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe	29

C:\Users\Admin\AppData\Local\Temp\9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe
"C:\Users\Admin\AppData\Local\Temp\9bd725957221814876e0968ca3d75c9afb3cf3c4b4d3d1ada3c89966b437b7b0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9BD725~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2372

C:\Windows\Debug\qqwhost.exe
C:\Windows\Debug\qqwhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\debug\qqwhost.exe

Filesize
197KB

MD5
dfada71720ad2aab24f668deabd36e3b

SHA1
77feca7789dd3c8c95020367d37a6911ed386236

SHA256
722db77fdf3012821169df64e1b50e0fdb965dd795157cfded468c1987e133fc

SHA512
83452f6e2b91984eb1f62db424c0e744231f593c21cfb82de5df59db91beff155937968ca5da285f621dc954df2f4ac8d93a305a95c15e685d455636561d27ff

Download Submit