37d973a6b74b1919aab1518708fa91d14792b4218dc177d339c51e88d787535c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CacheWechatBackup/Plugins/WechatBackup/ConnectService.exe
Size

4.5MB
MD5

bc1d2ace3221b777ce8ce1bce7e45bb5
SHA1

b5d74e4c5d050c3015b15db33f14338f8b3b3b92
SHA256

229c60f01ddfc262e0a18e5658ea67e0f0aac1583990009771a6ec63d59b5ae7
SHA512

91c01f53e46ae0741aaf9ae181ce3bfe0714d01d4aa83d3afd3e7dcac97616e682743af26490aec537f19675e839ccd843fd3445a8db29fb52c13e249ec83cdb
SSDEEP

98304:2Hy0XTpSonO9/SBrFFjMoYsRf3Ewex0nT7s9t+sqX9Gwpt:PkN5MQBiTSswex+HsqtB

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2220	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2468	AndroidDaemon.exe
2680	AndroidDaemon.exe
2508	AndroidDaemon.exe

Loads dropped DLL 13 IoCs

pid	Process
1992	ConnectService.exe
1992	ConnectService.exe
2468	AndroidDaemon.exe
2468	AndroidDaemon.exe
1992	ConnectService.exe
2680	AndroidDaemon.exe
2680	AndroidDaemon.exe
2508	AndroidDaemon.exe
2508	AndroidDaemon.exe
2508	AndroidDaemon.exe
2508	AndroidDaemon.exe
1992	ConnectService.exe
2508	AndroidDaemon.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\AndroidServer\daemon.log	AndroidDaemon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\AndroidServer\driverinstall.log	AndroidDaemon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\AndroidServer\main.log	AndroidDaemon.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\AndroidServer\tadinstaller.log	AndroidDaemon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	ConnectService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\AndroidServer.exe = "9999"	ConnectService.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AndroidDaemon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AndroidDaemon.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AndroidDaemon.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	AndroidDaemon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	AndroidDaemon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2468	1992	ConnectService.exe	28
PID 1992 wrote to memory of 2468	1992	ConnectService.exe	28
PID 1992 wrote to memory of 2468	1992	ConnectService.exe	28
PID 1992 wrote to memory of 2468	1992	ConnectService.exe	28
PID 1992 wrote to memory of 2680	1992	ConnectService.exe	29
PID 1992 wrote to memory of 2680	1992	ConnectService.exe	29
PID 1992 wrote to memory of 2680	1992	ConnectService.exe	29
PID 1992 wrote to memory of 2680	1992	ConnectService.exe	29
PID 1992 wrote to memory of 2220	1992	ConnectService.exe	31
PID 1992 wrote to memory of 2220	1992	ConnectService.exe	31
PID 1992 wrote to memory of 2220	1992	ConnectService.exe	31
PID 1992 wrote to memory of 2220	1992	ConnectService.exe	31

C:\Users\Admin\AppData\Local\Temp\CacheWechatBackup\Plugins\WechatBackup\ConnectService.exe
"C:\Users\Admin\AppData\Local\Temp\CacheWechatBackup\Plugins\WechatBackup\ConnectService.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe" -ku
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2468
- C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe
  "C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe" -is
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2680
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" firewall set allowedprogram "C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278" "Tencent Phone Manager" enable
  2⤵
  - Modifies Windows Firewall
  PID:2220

C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe
"C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\Daemon.dll

Filesize
102KB

MD5
ab70620c8e5eab8e686276903eec57f0

SHA1
94fb3da12d63e3815f21534bc19de05349fbf6b1

SHA256
70d72e8ede2fb94c4dcce569d8534d97db149db1770289bc1fa8311a85617634

SHA512
cd1234665e9a1074531134da9a7f8a94ba7ab5ecf93c6bf523a4baf8d22c9aa3ee3d5d48f6729606b7397b7e37ed5bbfaea81e3da2e4e6cf9db2edaadce94980

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\Log4cplus.dll

Filesize
281KB

MD5
009703ca09639d024f8730f148d5621d

SHA1
a75f6db62877c2da94422df0327b2d45068278e3

SHA256
3ebbf6cd83b36648f95487a815b0244cd8859109d45d609d9977783dfeba4dc6

SHA512
3ca28f2844a3e6f4f4cb4d4baa2e67be91bd957f2e6ef1bb638cccadf86abba8012a81b9197e74d4b28359ee610249bd54a5990e4de31c5a600795aabc2fb05d

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\QQPMIpc.dll

Filesize
71KB

MD5
6e093264fe98f5e392f96919e4be8a00

SHA1
1818405f2d34ae572efb25f6dfb71549687c714d

SHA256
0348e36008f2039f50c98640d44e8146c90f8ea650d3bce2034474c2cfbe8fe0

SHA512
b63ac6d621d35082651f65ddb1481252c022eccf9299c7f593dcd40955d1b09aa5d75a27d8cc3c0fa4d294a0934913ed3dce54385b9d8db191dd5e4a7383deb8

Download Submit
C:\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\main.properties

Filesize
2KB

MD5
2ee673e3991c6198928606d8aeebc712

SHA1
67a1857feef3fbdd529fd22f77c90b9103c85e5f

SHA256
9df50e17b468de13ee50e0ebdf38fa7a6939dbbcb204c166662be6ba6a727087

SHA512
09fcfa27fd0134c875101dfb34a7982eb44a1daaadfa1e3078d5b7518aea55886abae93fb213ff9fe4742509f429647c2ce028d08dd510f3a0c8324e65d51119

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1D81.tmp\NSISCommon.dll

Filesize
95KB

MD5
143328e7a59de3196e5a9b58ff72d98b

SHA1
61a8ffacfd986cc2b841af45582fe895b9096d52

SHA256
8fb567f263e976c7eb77c549f6dfb30ceed708f0408c5ea655e8dc87ceecb302

SHA512
75f527b8a8a668d018ee83bb0317d78a86ae9bdee0843540d115b217c23b725e6e00c999a09a92c49c0cff71fd42333f132e00d516a77d080292d1581f27dca4

Download Submit
\Users\Admin\AppData\Roaming\Tencent\AndroidServer\1.0.0.278\AndroidDaemon.exe

Filesize
35KB

MD5
8458b23988c4d596df0fc723a060e2c9

SHA1
aa36141b44816d89b7e62f3c1474148baa3228b6

SHA256
b7b7dc6ea35bbcafe96232905f3a14cea34825231e3389b958aa7836cb90b325

SHA512
ffeffb148ec70c8dc8df64b7a4c0f403f5c54f9b43061037fe712dd9b00b7d6e856551b759480439d0659433d54ac7b26143b4ad01c4d8c7bb2553fe4ed0d376

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads