Overview

overview

8

Static

static

3

fb71a9372f...18.exe

windows7-x64

8

fb71a9372f...18.exe

windows10-2004-x64

8

$_2_/Ad.exe

windows7-x64

1

$_2_/Ad.exe

windows10-2004-x64

1

$_2_/Downl...PS.dll

windows7-x64

1

$_2_/Downl...PS.dll

windows10-2004-x64

1

$_2_/QQVip...er.exe

windows7-x64

8

$_2_/QQVip...er.exe

windows10-2004-x64

8

$_2_/TXSSOSetup.exe

windows7-x64

7

$_2_/TXSSOSetup.exe

windows10-2004-x64

7

$_2_/Tencentdl.exe

windows7-x64

1

$_2_/Tencentdl.exe

windows10-2004-x64

1

$_2_/bugreport.exe

windows7-x64

1

$_2_/bugreport.exe

windows10-2004-x64

$_2_/curllib.dll

windows7-x64

3

$_2_/curllib.dll

windows10-2004-x64

3

$_2_/dlcore.dll

windows7-x64

1

$_2_/dlcore.dll

windows10-2004-x64

1

$_2_/extract.dll

windows7-x64

1

$_2_/extract.dll

windows10-2004-x64

1

$_2_/tinyxml.dll

windows7-x64

3

$_2_/tinyxml.dll

windows10-2004-x64

3

$_2_/tnproxy.dll

windows7-x64

1

$_2_/tnproxy.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19-04-2024 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $_2_/QQVipDownloader.exe

  • Size

    1023KB

  • MD5

    65dbfaf76be7baf0369e1a202f8499cc

  • SHA1

    542dca77ea0f20b91b8ebac80e326686dd507c55

  • SHA256

    e997d69e9649210f79167f2a8501196ac2a62a23944b5d0d39b1e9bd7e3b774f

  • SHA512

    0880bc2a3182708e3ac620f4028a85eb1683bda96f0246ea5751c9ad20c3ea2c1e9879751b4f57fea0ee16b41347a93be88ef0f87661583971204179b917b608

  • SSDEEP

    12288:pDfAIZBLC7KNkg2BirPUTYLzD3zk2U5LZE+KGngCRyEi1QOCXSSY9p8s96+9AUys:pDfAIZBZkg2B4UsKKLEiGi9X0cAUSK6

Score
8/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$_2_\QQVipDownloader.exe
    "C:\Users\Admin\AppData\Local\Temp\$_2_\QQVipDownloader.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe
      "C:\Users\Admin\appdata\local\temp\$_2_\tencentdl.exe" /install
      2⤵
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
        "C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" /RegServer
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" action=allow
          4⤵
          • Modifies Windows Firewall
          PID:2640
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="腾讯产品下载组件Crash上报" dir=in program="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" description="C:\program files (x86)\common files\tencent\qqdownload\127\bugreport_xf.exe" action=allow
          4⤵
          • Modifies Windows Firewall
          PID:2652
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\program files (x86)\common files\tencent\qqdownload\127\DownloadProxyPS.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2724
  • C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
    "C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe" -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of FindShellTrayWindow
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Tencent\QQDownload\127\InstallInfo.xml
    Filesize

    1KB

    MD5

    68deb2a7669c8a17da384ca980b360a9

    SHA1

    c0c46ffb5f5a21d384fb03ca5e6c44a4cf0307dc

    SHA256

    fb32f89eda8ab7303629f1c13fbe055b57e9fe2a9fde4694b1447ed081606e57

    SHA512

    d8e49fd250a7c721cc6a91af5df89446e9625f9228dea12ec303bc3d6bda3f2870aca58021c275c24bdcba9b2c91745f21bdf540df02f28c2db872c799239732

    Download Submit
  • C:\program files (x86)\common files\tencent\qqdownload\127\tencentdl.exe
    Filesize

    915KB

    MD5

    7e8dfc56349967d134ccdc9de4cd772f

    SHA1

    80f9636e5f2b7509d50e3e865b5c0d921348fff0

    SHA256

    fcaf44a74ec98e9780ddded45729dab1dc292c3a1bfed1c1a7ce56f1fed9b604

    SHA512

    b25fa86519cc23157f253ab816e8f8dfab54c5eddb72ec2092ece5b33767131f2ebdb4c791a2e28688c3bbbddc0db1e34d046f309592f95bf4665f5f12617010

    Download Submit
  • \??\c:\program files (x86)\common files\tencent\qqdownload\127\dlcore.dll
    Filesize

    1.9MB

    MD5

    0ed92ed82d4d1b22fe231c177b45eac5

    SHA1

    d858a692e6c0a364137c4d0190816809b8c37f7f

    SHA256

    ad1425b8497cf8b5891adbd51371c3ceb0f977e6e417b6c3f3262e6b6f01e2fc

    SHA512

    8d7d60e84314ba2b5b1a9248e6ddf1f2723844ebde1953343ee5f825f1d3e30a5a9a504d028c9311f9aa82c17929c4927769b7ae6df986003b2c1aaef0be3aa1

    Download Submit
  • \Program Files (x86)\Common Files\Tencent\QQDownload\127\DownloadProxyPS.dll
    Filesize

    67KB

    MD5

    9c629978377e3edc8d0b001115f93eec

    SHA1

    c563aad2e04b0e69b3ceeb722f7f7e85dd3cb410

    SHA256

    1ce25ffc0d8671f5c44573ec190533860cc3bec823d2dcfaf4548a0bd76add50

    SHA512

    34cb1eafd31385094bc0f2f03da80fb94662a7a966dff7f9be974b5e850e2c588e82546edfaf244b7f20046fd63421495b7a429d50184d074b83208d86dcd619

    Download Submit
  • \Program Files (x86)\Common Files\Tencent\QQDownload\127\extract.dll
    Filesize

    358KB

    MD5

    9da51d4506bd094fbfc7d337338fc872

    SHA1

    1b5799ef6b66ac9471842f17570813e7c42cdb27

    SHA256

    f2181e41d5950fcb762edf6b9cbb665e94004a7f1102b606c331690e6069a501

    SHA512

    07dfae7c04ea2815ed78af9e29313050338bfec5a8e08a8846c0f846d6d27b79b7bfe2c3b4dbf3758aa22f88342aadf5513dcbcd6a718b9dd939996d6ce9e044

    Download Submit
  • \Program Files (x86)\Common Files\Tencent\QQDownload\127\tnproxy.dll
    Filesize

    707KB

    MD5

    3bad47f1e11387358ba090fbc2682713

    SHA1

    e7e7843d3fd4f45fdb65ff40936bc28a10651589

    SHA256

    26c906e83d280f03e021a5730908cc40551f8ef98e048b9ae001354ec83ae736

    SHA512

    c00f7079746cc0ab961680ca784cac036ad60c2883e032fea9d8ac4791579f5cb952a341efb0068a38f81ab84c6dc870ddd8ae5ddb66d17a812a80fc8e1486eb

    Download Submit
  • memory/1612-37-0x0000000006EB0000-0x0000000006EC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2416-35-0x0000000000570000-0x0000000000580000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2416-30-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2416-41-0x0000000004EA0000-0x0000000004F4F000-memory.dmp
    Filesize

    700KB

    Download
  • memory/2416-43-0x0000000000250000-0x0000000000251000-memory.dmp
    Filesize

    4KB

    Download